tcpdump Packet Capture

tcpdump cheatsheet — capture and inspect network packets. tcpdump -i eth0, tcpdump port 80, tcpdump host 10.0.0.1, tcpdump -w capture.pcap. Debug network traffic from command line.

7 min read

What it is

tcpdump is a command-line packet analyzer that lets you capture and inspect network traffic on your system in real-time. You reach for it when you need to understand what’s happening on the network, debug connectivity issues, or analyze traffic patterns.

Installation

Linux

sudo apt update && sudo apt install tcpdump  # Debian/Ubuntu
sudo yum install tcpdump                  # CentOS/RHEL/Fedora

macOS

brew install tcpdump

(Note: macOS includes tcpdump by default, but Homebrew can provide a more recent version.)

Windows

tcpdump is not natively available on Windows. The closest equivalent is WinDump, which is a port of tcpdump for Windows.

# Download WinDump from the official website: https://www.winpcap.org/windump/
# After downloading, run the installer.
# You can then run windump.exe from the command prompt.

Core Concepts

  • Packet: The fundamental unit of data transmitted over a network. tcpdump captures these packets.
  • Interface: A network connection point on your machine (e.g., eth0, en0, wlan0). tcpdump needs to know which interface to listen on.
  • Filter Expression: tcpdump uses a powerful Berkeley Packet Filter (BPF) syntax to specify which packets to capture, allowing you to be very precise.
  • Snaplen (Snapshot Length): The maximum number of bytes to capture from each packet. A smaller snaplen saves disk space and memory but might truncate packets.

Commands / Usage

Basic Capture

  • Capture on a specific interface:

    sudo tcpdump -i eth0

    Capture all packets on the eth0 interface.

  • Capture on all interfaces (requires root/administrator):

    sudo tcpdump -i any

    Capture packets from all available network interfaces.

  • Capture with verbose output:

    sudo tcpdump -vvv -i eth0

    Capture packets with maximum verbosity, showing more details about packet headers. Use -v, -vv, or -vvv for increasing levels of detail.

  • Capture and show ASCII content:

    sudo tcpdump -A -i eth0

    Display packet contents in ASCII, useful for text-based protocols.

  • Capture and show hex and ASCII content:

    sudo tcpdump -XX -i eth0

    Display packet contents in both hexadecimal and ASCII.

Filtering Traffic

  • Capture traffic from a specific host:

    sudo tcpdump -i eth0 host 192.168.1.100

    Capture all packets to or from the IP address 192.168.1.100.

  • Capture traffic to a specific host:

    sudo tcpdump -i eth0 dst host 192.168.1.100

    Capture all packets destined for the IP address 192.168.1.100.

  • Capture traffic from a specific host:

    sudo tcpdump -i eth0 src host 192.168.1.100

    Capture all packets originating from the IP address 192.168.1.100.

  • Capture traffic on a specific port:

    sudo tcpdump -i eth0 port 80

    Capture all packets using TCP or UDP port 80.

  • Capture traffic to a specific port:

    sudo tcpdump -i eth0 dst port 22

    Capture all packets destined for port 22.

  • Capture traffic from a specific port:

    sudo tcpdump -i eth0 src port 53

    Capture all packets originating from port 53.

  • Capture TCP traffic:

    sudo tcpdump -i eth0 tcp

    Capture only TCP packets.

  • Capture UDP traffic:

    sudo tcpdump -i eth0 udp

    Capture only UDP packets.

  • Capture ICMP traffic:

    sudo tcpdump -i eth0 icmp

    Capture only ICMP packets (e.g., ping).

  • Combine filters (AND):

    sudo tcpdump -i eth0 host 192.168.1.100 and port 443

    Capture traffic to/from 192.168.1.100 specifically on port 443.

  • Combine filters (OR):

    sudo tcpdump -i eth0 tcp or udp

    Capture both TCP and UDP packets.

  • Negate a filter (NOT):

    sudo tcpdump -i eth0 not port 22

    Capture all traffic except that on port 22.

  • Capture traffic for a specific network:

    sudo tcpdump -i eth0 net 192.168.1.0/24

    Capture all traffic within the 192.168.1.0/24 subnet.

Saving and Reading Captures

  • Save captured packets to a file:

    sudo tcpdump -i eth0 -w capture.pcap

    Capture packets from eth0 and save them to capture.pcap in pcap format.

  • Read packets from a file:

    tcpdump -r capture.pcap

    Read and display packets from the capture.pcap file.

  • Read and filter packets from a file:

    tcpdump -r capture.pcap host 192.168.1.100

    Read packets from capture.pcap and display only those involving 192.168.1.100.

  • Save a limited number of packets:

    sudo tcpdump -i eth0 -c 100 -w limited_capture.pcap

    Capture and save the first 100 packets to limited_capture.pcap.

  • Set snapshot length:

    sudo tcpdump -i eth0 -s 128 -w small_snaplen.pcap

    Capture packets with a snapshot length of 128 bytes and save to small_snaplen.pcap. Use -s 0 to capture the full packet.

Controlling Output

  • Don’t resolve hostnames (faster):

    sudo tcpdump -i eth0 -n

    Display IP addresses numerically, without trying to resolve them to hostnames.

  • Don’t resolve port names:

    sudo tcpdump -i eth0 -nn

    Display port numbers numerically, without trying to resolve them to service names.

  • Print packet timestamps:

    sudo tcpdump -i eth0 -t

    Print unformatted timestamps for each packet.

  • Print packet timestamps with microseconds:

    sudo tcpdump -i eth0 -tttt

    Print timestamps in a human-readable format, including microseconds.

  • Limit output lines:

    sudo tcpdump -i eth0 -c 10

    Display only the first 10 packets and then exit.

Advanced Filtering (BPF Syntax)

  • Capture packets with specific TCP flags:

    sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

    Capture TCP packets that have either the SYN or ACK flag set. (This is an example, more specific flag combinations are possible).

  • Capture packets within a specific byte range:

    sudo tcpdump -i eth0 'udp[0:2] = 0x1234'

    Capture UDP packets where the first two bytes of the payload match 0x1234.

  • Capture packets with specific EtherType:

    sudo tcpdump -i eth0 'ether proto 0x0806'

    Capture ARP packets (EtherType 0x0806).

Common Patterns

  • Troubleshooting a web server connection:

    sudo tcpdump -i eth0 -nn 'host 192.168.1.50 and (port 80 or port 443)'

    Watch HTTP/HTTPS traffic to/from a specific client IP.

  • Diagnosing DNS issues:

    sudo tcpdump -i eth0 -nn 'udp port 53'

    Observe DNS queries and responses.

  • Capturing SSH sessions:

    sudo tcpdump -i eth0 -nn 'tcp port 22'

    Monitor traffic on the SSH port.

  • Saving all traffic from a specific host to a file:

    sudo tcpdump -i eth0 -w all_traffic_from_client.pcap host 192.168.1.75

    Useful for later analysis with Wireshark or other tools.

  • Analyzing traffic that is NOT going to a specific server:

    sudo tcpdump -i eth0 -nn 'not dst host 10.0.0.1'

    See what else is happening on the network if you suspect interference from a specific destination.

  • Capturing traffic from a specific MAC address:

    sudo tcpdump -i eth0 -nn ether src aa:bb:cc:dd:ee:ff

    Filter traffic based on the source MAC address.

  • Saving packet dumps for Wireshark analysis:

    sudo tcpdump -i any -s 0 -w network_capture.pcap

    Capture everything from all interfaces with full packet length and save to a file for detailed GUI analysis.

Gotchas

  • Permissions: Capturing network traffic usually requires root or administrator privileges. Always use sudo when capturing live traffic.
  • Interface Name: Ensure you are specifying the correct network interface name. Use tcpdump -D to list available interfaces.
  • Filter Syntax: The BPF filter syntax can be tricky. Double-check your expressions, especially when combining multiple conditions. Single quotes around filters are often necessary to prevent shell expansion.
  • Snaplen (-s): By default, tcpdump might not capture the full packet content (snapshot length). Use -s 0 to ensure the entire packet is captured, which is crucial for deep analysis, but it will consume more resources and disk space.
  • Hostname Resolution (-n): Without -n and -nn, tcpdump will try to resolve IP addresses to hostnames and port numbers to service names. This can significantly slow down capture and might not always be accurate if DNS is having issues.
  • "No such device" error: This usually means the interface name is incorrect or the interface is not active.
  • "Permission denied" error: This means you don’t have sufficient privileges to capture on the specified interface. Use sudo.
  • Large Files: Capturing traffic for extended periods, especially on busy networks, can generate very large .pcap files. Use filters, -c (count), or -w with caution, and consider tools like tshark or Wireshark for post-processing.
  • any interface: While useful, capturing on any can sometimes be less performant than specifying a single interface, and it might capture traffic you don’t expect if you have multiple active interfaces.