Packet captures with tcpdump Tcpdump is a popular network analyzer. It's pre-installed on many Linux distributions and can be  installed on most Unix-like operating systems, like macOS. You can easily capture and monitor  network traffic such as TCP,  IP, ICMP, and many more. Tcpdump is a command line tool. This means that it does not have  a graphical user interface. Earlier in the program,  you learned that the command line is  a very powerful and efficient tool,  and we'll practice using it together. With tcpdump, you can apply  options and flags to your commands to  easily filter network traffic so that you can find exactly what you're looking for. You can filter for a specific IP address,  protocol, or port number. Let's examine a simple tcpdump command  used to capture packets.  Keep in mind that your computer's traffic may appear different when you use this command. At first glance, this looks like a lot of information.  Let's examine it line by line.  The command we ran is: sudo tcpdump -i any -v -c 1. We're using sudo because the Linux account we're logged  in on doesn't have the permission to run tcpdump. Then, we specify tcpdump to start tcpdump  and -i to specify which  interface we want to sniff traffic on. The -v stands for verbose,  which displays detailed packet information. The -c stands for count,  which specifies how many packets tcpdump will capture. Here we've specified one. Now let's examine the output. Tcpdump has told us that it's listening on  any available network interfaces, and it's also  given us additional information, like the capture size. The first field is the packet's timestamp,  which details the specific time of the packet travel. It begins with hours, minutes,  seconds, and fractions of a second. Timestamps are especially helpful during  an incident investigation when you want to  determine timelines and correlate traffic. Next, IP is listed as the Version field. It's listed as IP,  which means it's IPv4. The verbose option has given us  more details about the IP packet fields,  such as protocol type and  the length of the packet. Let's check it out. The first field, ToS stands for Type of Service. Recall that this tells us if  certain packets should be treated with different care. This is represented by a value in hexadecimal. The TTL field is Time to Live,  which tells us how long a packet can  travel across a network before it gets dropped. The next three fields are  Identification, Offset, and Flags,  which provide three fields with  information relating to fragmentation. These fields provide instructions on how  to reassemble packets in the correct order. For example the DF,  beside flags stands for Don't Fragment. Next, the proto is the Protocol field. It specifies the protocol in use and also  provides us with the value that  corresponds to the protocol. Here the protocol is tcp,  which is represented by the number 6. The last field, length, is the Total Length of the packet,  including the IP header. Next, we can observe  the IP addresses that are communicating with each other. The direction of the arrow  indicates the direction of the traffic flow. The last piece of the IP address  indicates the port number or name. Next, the cksum or checksum field corresponds to  the Header Checksum, which stores a value that's  used to determine if any errors have occurred in the header. Here, it's telling us it's correct with no errors. The remaining fields are related to TCP. For example, Flags indicate TCP flags. The P is the push flag, and  the period indicates it's an ACK flag. This means that the packet is pushing out data. This is just one of many commands you can use  in tcpdump to capture network traffic. Isn't it fascinating to observe  all the information contained  within these invisible packets? Go ahead and try it out for yourself!