What is tcpdump?

Say I make a DNS request:

$ dig +short @ google.com

What went over the network? We can find out with a program called tcpdump! tcpdump is a command-line program which can prints everything that goes over a network interface on a UNIX box. Let’s see an example, getting all DNS traffic. DNS requests go over UDP port 53. We ask tcpdump for this using the expression udp and port 53:

$ sudo tcpdump -n 'udp and port 53'
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
23:21:50.909488 IP > 61163+ [1au] A? google.com. (39)
23:21:50.929583 IP > 61163 1/0/1 A (55)

The output shows exactly two UDP packets. One for the DNS request, the next for the response.

You’ll notice that tcpdump is terribly named! It does not just dump TCP; it can dump all manner of network activity: UDP, IP, ICMP, Ethernet, and many others.

Tagged #programming, #unix.

Similar posts

More by Jim

👋 I'm Jim, a full-stack product engineer. Want to build an amazing product and a profitable business? Read more about me or Get in touch!

This page copyright James Fisher 2018. Content is not associated with my employer. Found an error? Edit this page.