# Working with TCPDump
This utility is a useful tool for interception and collection of packets coming to and from the server.
## TCPDump installation
For Ubuntu/Debian:
```
apt install tcpdump
```
For Red Hat / CentOS:
```
sudo yum install tcpdump
```
## Argument for the command
{% hint style="info" %}
**-c** — completes packet collection after the set amount is reached.
**-C** —allows you to set the maximum size of the dump file after which a new file will be created.
**-e** — displays connection level information for each packet processed.
**-F** — package output from the specified file, not the interface.
**-f** — displays the domain name for each IP address.
**-G** — creates a new dump file after the specified time.
**-H** —creates a constraint that only 802.11s headers will be processed by TCPDump.
**-i** —the name of the interface from which the packages will be collected. To use all interfaces of the server, specify **any** value.
**-I** — Enables the monitoring mode for the specified interface (to detect all passing packets).
**-E** — is used to decrypt IPSEC traffic (you must specify a key for decryption).
**-K** — disables check of packet checksums.
**-L** — displays supported connection protocols for the specified interface.
**-n** — dump pass.
**-nn** — output of addresses together with their ports.
**-q** — minimization of output information about packages.
**-tttt** — displays the time stamps for each package in the standard format.
**-v, -vv, -vvv** — more detailed display of package information.
**-Z** — более подробное отображение информации о пакете.
**-w** — the name of the file in which the dump will be saved (by default without this argument the dump is displayed in real time without writing to the file).
{% endhint %}
## Using
In order not to clog our dump with extra packages, you should choose a specific interface from which we want to collect information, not all. You can view a list of all interfaces by using this command:
```
tcpdump -D
```
{% hint style="info" %}
On our **virtual servers (VDS)**, the main network interface is **ens3.**
{% endhint %}
To display the logs of our network interface in real time, use the command:
```
tcpdump -i ens3
```
{% hint style="warning" %}
Don’t forget that **TCPDump** requires root rights, so you should run these commands as root or by using **sudo**.
{% endhint %}
After using the command we will see many running lines, to stop the dump use the key combination `Ctrl + C`
{% hint style="info" %}
The collected data packets are about this type:
`22:31:56.330185 IP fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], seq 7841:7905, ack 10730080, win 6145, length 64`
But when using different protocols, the package may have different inside features.
{% endhint %}
Try to see more information about packages using the argument `-v`
```
tcpdump -i ens3 -v
```
{% hint style="info" %}
Now our packages have a more massive structure of type:
`22:36:42.254306 IP (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6), length 104) fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], cksum 0x2699 (correct), seq 321:385, ack 1027616, win 6141, length 64`
In this case, you can see more information about the **IP address** protocol
P (tos 0x0, ttl 122, id 61139, offset 0, flags \[DF], proto TCP (6)
{% endhint %}
## Filtering argument
An equally powerful feature is the additional argument that allows us to filter out different types of packages according to the following parameters:
{% hint style="info" %}
**host** — host name.
**ip** — IP-address.
**port** — port.
**proto** — protocol.
**net** — network or subnet address.
**src** — source.
**dst** — the recipient.
Available protocols: **tcp**, **udp**, **icmp**, **arp**, **rarp**, **decnet** etc
These arguments can also be combined.
{% endhint %}
For example, we can view all packets that go from our server to the final address:
```
tcpdump dst 192.168.1.1
```
Conversely, all packets that are sent to our server from the source subnet (you can also use a specific **IP address**, as in the example above):
```
tcpdump src net 192.168.1.1/24
```
You can use arguments to find packages of the required size
```
tcpdump less 48 // пакеты меньше 48 бит
tcpdump greater 128 // пакеты больше 128 бит
```
Let’s say you have several **Garry’s Mod** servers on different ports and you want to check if they are currently running a **DDoS attack**. For this we will fit a team:
```
tcpdump -nnv udp src portrange 27015-27025 -w garrysmod.dump
```
{% hint style="warning" %}
Note the specified port range.
The **-w** dump will be compiled into the **garrysmod.dump** file
{% endhint %}
## Extended operators
In addition, **TCPDump** has operators for creating different combinations of arguments.
{% hint style="info" %}
**AND** whether **&&** (operator «AND»)
**OR** whether **||** (operator «**OR**»)
**EXCEPT** whether **!** (operator «**EXCEPT**»)
{% endhint %}
Suppose we want to print out all the traffic of MySQL queries, which sends 192.168.1.1 to port 3306 (to any addresses).
```
tcpdump -nnv src 192.168.1.1 and tcp dst port 3306
```
## Completion
Thanks for reading it! We have familiarized ourselves in detail with TCPDump, which is a very useful tool that is an integral part of the work of network engineers, as well as necessarily useful for ordinary users.
You can use the program to read packages on **Windows** [WireShark](https://www.wireshark.org/).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://spacecore.gitbook.io/wiki/en/network-and-security-configuration/tcpdump.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.