Skip to main content

Tcpdump Guide

tcpdump is a lightweight, command-line packet sniffer that every network engineer and security analyst should know. It’s fast, scriptable, and perfect for quick captures or when you don’t have a GUI available. This guide shows how to capture, filter, save, and analyze packets effectively β€” without drowning in noise.

note

tcpdump reads raw packets from the network interface and therefore usually requires root privileges (or membership in a capture-capable group). Run commands responsibly and only on networks you own or are authorized to test.

When to use tcpdump​

  • Fast troubleshooting on remote servers (no GUI).
  • Quick packet capture to hand off to analysts or to open later in Wireshark.
  • Lightweight scripting/automation of capture tasks.
  • Forensics when disk/CPU impact must be minimal.

Basic Usage & Anatomy​

The simplest capture (listen on interface eth0 and print packets to console):

sudo tcpdump -i eth0

Key flags you’ll use often:

  • -i <interface> β€” interface to capture on (e.g., eth0, wlan0, any).
  • -w <file> β€” write raw packets to a pcap file (binary), use .pcap or .pcapng.
  • -r <file> β€” read packets from a pcap file.
  • -n β€” don’t resolve IPs to hostnames (faster & cleaner).
  • -nn β€” don’t resolve ports to names either (shows numeric ports).
  • -s <snaplen> β€” snapshot length (how many bytes of each packet to capture). -s 0 captures full packets.
  • -c <count> β€” capture only <count> packets then stop.
  • -vvv β€” very verbose output (more packet detail).
  • -X β€” show packet payload in hex + ASCII.
  • -A β€” show packet payload in ASCII (useful for HTTP).
  • -S β€” show absolute TCP sequence numbers.
  • -tttt β€” timestamp with readable format (good for reports).

Example: capture 200 packets on eth0, full packets, no name resolution, save to capture.pcap:

sudo tcpdump -i eth0 -nn -s 0 -c 200 -w capture.pcap

Capture Filters (BPF) β€” reduce noise at capture time​

tcpdump uses BPF (Berkeley Packet Filter) syntax to tell the kernel which packets to copy to user-space. These filters are applied during capture (efficient).

Some useful patterns:

  • By host:

    sudo tcpdump -i eth0 host 192.168.1.10

  • Source or destination:

    sudo tcpdump -i eth0 src 10.0.0.5
    sudo tcpdump -i eth0 dst 8.8.8.8

  • By network:

    sudo tcpdump -i eth0 net 192.168.1.0/24

  • By protocol/port:

    sudo tcpdump -i eth0 tcp port 22            # SSH
    sudo tcpdump -i eth0 udp and port 53        # DNS
    sudo tcpdump -i eth0 portrange 8000-9000

  • Combined expressions:

    sudo tcpdump -i eth0 'host 10.0.0.5 and (tcp port 80 or tcp port 443)'

  • Negation:

    sudo tcpdump -i eth0 'not net 10.0.0.0/8'
tip

Wrap complex filters in single quotes to avoid shell expansion. Capture filters are not the same as Wireshark display filters, they are more performance-friendly.

Writing & Rotating Capture Files​

Large captures can fill disks quickly. Use ring-buffer options to manage files:

  • Basic write:

    sudo tcpdump -i eth0 -w /tmp/capture.pcap -s 0

  • Rotate by size (-C) and keep -w pattern:

    sudo tcpdump -i eth0 -s 0 -w /tmp/capture-%Y%m%d-%H%M%S.pcap -C 100

    (Note: Some tcpdump builds require -W with -C; check man tcpdump.)

  • Rotate by time with -G (create a new file every N seconds):

    sudo tcpdump -i eth0 -s 0 -w /tmp/capture-%Y%m%d-%H%M%S.pcap -G 3600

    This creates hourly files.

  • Limit number of files with -W (when using -C):

    sudo tcpdump -i eth0 -s 0 -w capture.pcap -C 50 -W 5

    This keeps 5 files of 50MB each in a rotating buffer.

Reading & Inspecting Captures​

Open a pcap with tcpdump (text output):

tcpdump -r capture.pcap -nn -tttt

Open the same file in Wireshark for GUI analysis:

wireshark capture.pcap &
# or
tshark -r capture.pcap -Y 'http' -V

tshark is the CLI counterpart to Wireshark and supports Wireshark-style display filters.

Common Workflows / Examples​

1) Capture ARP traffic (good for spotting ARP spoofing)​

sudo tcpdump -i eth0 arp -n -vv

2) Capture only HTTP traffic and show ASCII payload​

sudo tcpdump -i eth0 -nn -s 0 -A 'tcp port 80'

3) Save DNS queries (UDP port 53) to file for later analysis​

sudo tcpdump -i eth0 -nn -s 0 udp port 53 -w dns-capture.pcap

4) Capture traffic to/from a host but exclude SSH noise (port 22)​

sudo tcpdump -i eth0 -nn -s 0 'host 192.168.1.10 and not port 22' -w host-no-ssh.pcap

5) Capture a single TCP session by 4-tuple​

If you see a suspicious TCP conversation in Wireshark, filter by IPs & ports to record that session alone:

sudo tcpdump -i eth0 -nn -s 0 'src 10.0.0.2 and dst 192.168.1.10 and tcp port 4444' -w session.pcap

Performance & Practical Tips​

  • Use -s 0 to capture full packets when you need payloads; otherwise set an appropriate snaplen to reduce disk usage.

  • Use -nn for raw numeric addresses (avoids DNS/port lookups which slow output).

  • Capture on the host where traffic passes (e.g., a router, span/mirror port, or any for multi-interface capture).

    sudo tcpdump -i any -nn -s 0 -w all-interfaces.pcap

  • If running on busy networks, prefer writing to disk (-w) rather than printing to console to avoid drops.

  • Consider compression after capture (gzip) to save space: gzip capture.pcap β€” but only after closing the file.

Troubleshooting & Common Pitfalls​

  • Missing packets: High traffic or small buffers can drop packets. Use dedicated capture hosts or mirror ports.
  • Permissions: If you can’t capture on Linux, add your user to the wireshark or dumpcap group (distribution-dependent) or run with sudo.
  • Time sync: For forensic correlation, ensure host clocks are synchronized (NTP) β€” -tttt helps readable timestamps.
  • Encrypted traffic: Captures of TLS/HTTPS won’t reveal plaintext. For deep inspection in controlled labs, use server private keys or TLS key logging (not possible for third-party traffic).

Hands-On Lab Ideas​

  1. DNS Query Capture

    • Task: Run tcpdump -i eth0 -nn udp port 53 -w dns.pcap then open dns.pcap in Wireshark and identify most frequent domain queries.

  2. HTTP Session Extraction

    • Task: Use tcpdump -i eth0 -s 0 -w http.pcap 'tcp port 80' while loading a website on a test VM. Open in Wireshark and use Follow TCP Stream to view request/response.

  3. ARP Poisoning Detection

    • Task: Simulate ARP spoofing in a lab and capture ARP traffic tcpdump -i eth0 arp -w arp.pcap. Check unusual duplicate MAC-to-IP mappings.

  4. SSH Noise Filtering

    • Task: Capture all traffic to a host while excluding SSH: tcpdump -i eth0 'host 10.0.0.5 and not port 22' -w filtered.pcap and analyze anomalies.

Legal & Ethical Reminder​

Packet captures can include sensitive information (credentials, tokens, PII). Always obey laws and organizational rules: capture only on systems you own or have explicit permission to analyze. Improper use can be illegal and unethical.

Summary Checklist​

  • Choose correct interface with -i.
  • Use BPF capture filters to reduce noise (applied at kernel-level).
  • Use -w to write pcap files for later analysis (Wireshark/tshark).
  • Rotate files with -C, -W, or -G to prevent disk exhaustion.
  • Use -s 0 for full-packet captures when payload is required.
  • Prefer -nn and -tttt for readable, fast output.
  • Always act ethically; get permission.