Tcpdump Commands
tcpdump is a powerful command-line packet capture tool that intercepts and displays TCP/IP traffic on networks. It uses the libpcap library to capture packets and supports complex filtering with Berkeley Packet Filter (BPF) syntax.
Installation
Linux/Ubuntu
sudo apt update
sudo apt install tcpdumpmacOS
brew install tcpdump
# or use pre-installed versionPermissions
# Run without sudo (add user to tcpdump group)
sudo usermod -a -G tcpdump $USER
# or use capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpBasic Packet Capture
Simple Captures
# Capture packets on default interface
tcpdump
# Capture on specific interface
tcpdump -i eth0
# Capture first 1000 packets
tcpdump -c 1000
# Capture with verbose output
tcpdump -v
# Very verbose output
tcpdump -vv
# Maximum verbose output
tcpdump -vvv
# Capture packets and show hex and ASCII
tcpdump -A
# Show hex dump of packet data
tcpdump -X
# Show hex dump with ASCII
tcpdump -XXSave and Read Captures
# Save capture to file
tcpdump -w capture.pcap
# Save with snap length (smaller file size)
tcpdump -w capture.pcap -s 100
# Read from file
tcpdump -r capture.pcap
# Display file in verbose mode
tcpdump -r capture.pcap -v
# Show statistics only
tcpdump -r capture.pcap -q
# Read from multiple files
tcpdump -r file1.pcap -r file2.pcapFiltering Packets
Interface and Protocol Filters
# Capture only IPv4 traffic
tcpdump -i eth0 ip
# Capture only IPv6 traffic
tcpdump -i eth0 ip6
# Capture TCP traffic only
tcpdump -i eth0 tcp
# Capture UDP traffic only
tcpdump -i eth0 udp
# Capture ICMP (ping) traffic
tcpdump -i eth0 icmp
# Capture DNS traffic (port 53)
tcpdump -i eth0 port 53
# Capture HTTP traffic (port 80)
tcpdump -i eth0 port 80
# Exclude certain traffic
tcpdump -i eth0 not tcpHost and Network Filters
# Capture from specific host
tcpdump -i eth0 host 192.168.1.100
# Capture from specific subnet
tcpdump -i eth0 net 192.168.1.0/24
# Capture to/from specific host
tcpdump -i eth0 host 8.8.8.8
# Exclude specific host
tcpdump -i eth0 not host 192.168.1.1
# Capture between two hosts
tcpdump -i eth0 host 192.168.1.100 and host 8.8.8.8
# Source host only
tcpdump -i eth0 src 192.168.1.100
# Destination host only
tcpdump -i eth0 dst 8.8.8.8
# Capture from multiple hosts
tcpdump -i eth0 host 192.168.1.100 or host 192.168.1.101Port Filters
# Capture specific port
tcpdump -i eth0 port 443
# Capture port range
tcpdump -i eth0 portrange 1000-2000
# Capture source port
tcpdump -i eth0 src port 22
# Capture destination port
tcpdump -i eth0 dst port 80
# Capture traffic on multiple ports
tcpdump -i eth0 'port 80 or port 443'
# Exclude port
tcpdump -i eth0 not port 22
# Capture higher ports only
tcpdump -i eth0 dst portrange 1024-65535Complex Filters
# Combine multiple conditions (AND)
tcpdump -i eth0 'host 192.168.1.100 and port 80'
# Combine with OR
tcpdump -i eth0 'host 192.168.1.100 or host 192.168.1.101'
# Group conditions with parentheses
tcpdump -i eth0 '(host 192.168.1.100 or host 192.168.1.101) and port 80'
# HTTP traffic from specific subnet
tcpdump -i eth0 'net 192.168.1.0/24 and port 80'
# SSH traffic excluding specific host
tcpdump -i eth0 'port 22 and not host 192.168.1.1'
# Capture TCP flags (SYN, ACK, FIN, RST)
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
# TCP SYN packets only
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
# TCP FIN packets (connection closing)
tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0'
# TCP RST packets (connection reset)
tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'Output Formatting
Display Options
# Don't resolve addresses (faster)
tcpdump -n
# Don't resolve ports
tcpdump -n --port-number
# Timestamp format
tcpdump -tttt
# Print timestamp for each line
tcpdump -v -tt
# Relative timestamps
tcpdump -r capture.pcap -ttt
# Line-buffered output
tcpdump -l
# Quiet output (minimal info)
tcpdump -q
# Less verbose
tcpdump -q -q
# Time synchronization
tcpdump --time-stamp-precision=nanoPacket Interpretation
# Show packet payloads (ASCII)
tcpdump -A
# Show packet payloads (HEX and ASCII)
tcpdump -XX
# Show HTTP requests
tcpdump -i eth0 -A 'tcp port 80' | grep GET
# Extract URLs
tcpdump -i eth0 -w - 'tcp port 80' | tcpdump -r - -A | grep -o 'GET.*HTTP'
# Show DNS queries
tcpdump -i eth0 -A port 53 | grep -o 'A? .*\|AAAA? .*'Advanced Packet Analysis
Statistics and Summaries
# Print only summary information
tcpdump -q -r capture.pcap
# Count packets matching filter
tcpdump -i eth0 -c 0 -s 0 -n 'tcp'
# Show packet statistics by size
tcpdump -i eth0 -v 2>&1 | grep -i "bytes"
# Capture and count packets
tcpdump -r capture.pcap | wc -lTraffic Analysis
# Monitor bandwidth usage on interface
tcpdump -i eth0 -w - | tcpdump -r - -q
# Find traffic with specific MAC address
tcpdump -i eth0 ether host 00:11:22:33:44:55
# Capture by protocol type
tcpdump -i eth0 'tcp and dst port 443'
# Show packet loss
tcpdump -i eth0 -p 2>&1 | tail -1
# Monitor specific application
tcpdump -i eth0 'host 192.168.1.100 and port 3306'
# Track connection states
tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'Real-World Examples
# Monitor all incoming SSH connections
tcpdump -i eth0 -n 'dst port 22'
# Capture HTTPS traffic to/from host
tcpdump -i eth0 -A 'host 192.168.1.100 and port 443'
# Monitor DNS traffic
tcpdump -i eth0 -n 'port 53' -A | grep dns
# Detect port scans
tcpdump -i eth0 -n 'tcp[tcpflags] & tcp-syn != 0'
# Monitor FTP traffic
tcpdump -i eth0 -A 'port 21'
# Capture SMTP traffic
tcpdump -i eth0 -A 'port 25 or port 587'
# Monitor DHCP requests
tcpdump -i eth0 'udp and (port 67 or port 68)'
# Track ARP requests
tcpdump -i eth0 'arp'
# Monitor NTP traffic
tcpdump -i eth0 'udp port 123'
# Capture HTTP headers only
tcpdump -i eth0 -A 'tcp port 80' | grep -A5 'GET\|POST\|HTTP'Tcpdump with Other Tools
# Pipe to tshark for analysis
tcpdump -i eth0 -w - | tshark -r -
# Save and convert to PCAPNG format
tcpdump -i eth0 -w capture.pcap
editcap -F pcapng capture.pcap capture.pcapng
# Analyze with Wireshark
tcpdump -i eth0 -w capture.pcap
wireshark capture.pcap
# Real-time analysis with strings
tcpdump -i eth0 -A | strings | grep -i password
# Combine with grep for pattern matching
tcpdump -i eth0 -A 'port 80' | grep -i 'cookie\|user-agent'Performance Considerations
# Set snap length for smaller captures
tcpdump -s 96
# Reduce packet count
tcpdump -c 100
# Set buffer size
tcpdump -B 4000
# Limit output to essential info
tcpdump -q -n
# Use native format (faster)
tcpdump -r capture.pcap --print
# Increase capture buffer
tcpdump -B 10000
# Run in background
tcpdump -i eth0 -w capture.pcap > /dev/null 2>&1 &
# Monitor long-running capture
watch -n 5 'ls -lh capture.pcap'Troubleshooting
# Check available interfaces
tcpdump -D
# Test filter syntax
tcpdump -i eth0 -n '(port 80)' -w /dev/null
# Verbose debug output
tcpdump -d 'host 192.168.1.100'
# Check packet count without capturing
tcpdump -i eth0 -c 0 port 80
# Verify permissions
sudo -l | grep tcpdump
# Check if tcpdump is running
ps aux | grep tcpdumpBest Practices
- Use filters to reduce noise and focus on relevant traffic
- Include snap length for manageable file sizes
- Capture to file rather than displaying for high traffic
- Use -n flag to avoid DNS lookups (faster)
- Remove sensitive data from captures before sharing
- Archive captures with timestamps for historical analysis
- Use -w flag to preserve packet data exactly as captured
- Combine with other tools (grep, awk) for post-processing
- Monitor disk space when capturing continuously
- Use appropriate snap length (32-96 bytes for headers, 65535 for full packets)
Last updated: 2026-03-30