tcpdump

networkingLinux/Unix
The tcpdump command is one of the most frequently used commands in Linux/Unix-like operating systems. tcpdump Dump network traffic, analyze and capture packets

Quick Reference

Command Name:

tcpdump

Category:

networking

Platform:

Linux/Unix

Basic Usage:

tcpdump [options] [arguments]

Common Use Cases

    Syntax

    tcpdump [options] [expression]

    Options

    Option Description
    -A Print each packet in ASCII, excluding the link level header
    -c count Exit after capturing count packets
    -D List available interfaces
    -e Print the link-level header
    -F file Use file as input for the filter expression
    -G rotate_seconds Rotate the dump file every rotate_seconds seconds
    -i interface Listen on specified interface
    -K Don't verify TCP checksums
    -n Don't convert addresses to names
    -p Don't put the interface into promiscuous mode
    -q Quick (quiet) output
    -r file Read packets from file (capture file)
    -s snaplen Capture snaplen bytes of data from each packet
    -S Print absolute TCP sequence numbers
    -t Don't print timestamp on each dump line
    -tt Print unformatted timestamp on each dump line
    -ttt Print delta between current and previous line
    -tttt Print timestamp in default format with date
    -v Verbose output (more -v's increases verbosity)
    -w file Write the raw packets to file
    -X Print each packet in hex and ASCII
    -XX Print each packet in hex and ASCII, including the link level header
    -Z user Drop privileges to user after opening capture device

    Examples

    How to Use These Examples

    The examples below show common ways to use the tcpdump command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    # Capture packets on interface eth0 tcpdump -i eth0
    # Capture specific number of packets tcpdump -c 10 -i eth0
    # Capture packets with IP addresses (not hostname resolution) tcpdump -n -i eth0
    # Save captured packets to a file tcpdump -w capture.pcap -i eth0
    # Read captured packets from a file tcpdump -r capture.pcap
    # Advanced Examples Advanced # Capture HTTP traffic (port 80) tcpdump -i eth0 port 80 # Capture traffic from a specific host tcpdump -i eth0 host 192.168.1.100 # Capture traffic to or from a specific network tcpdump -i eth0 net 192.168.1.0/24 # Capture packets with specific protocol tcpdump -i eth0 tcp # Capture traffic using complex expression (HTTP traffic to specific host) tcpdump -i eth0 'tcp port 80 and host 192.168.1.100' # Display packet contents in ASCII and hex tcpdump -i eth0 -XX -c 10 # Capture packets with timestamp tcpdump -i eth0 -tttt # Capture packets with higher verbosity tcpdump -i eth0 -v # Capture with specific protocol and source/destination tcpdump -i eth0 'tcp and src 192.168.1.100 and dst port 80' # Capture DNS traffic tcpdump -i eth0 udp port 53 # Capture all traffic except SSH tcpdump -i eth0 'not port 22' # Capture ICMP (ping) packets tcpdump -i eth0 icmp # Capture packets with size larger than 1000 bytes tcpdump -i eth0 'greater 1000' # Monitor interface in promiscuous mode tcpdump -i eth0 -p # Capture only TCP SYN packets (connection establishments) tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The `tcpdump` command is a powerful network packet analyzer that runs under the command line. It allows users to capture and display TCP/IP and other packets being transmitted or received over a network interface. This tool is especially useful for network administrators, security professionals, and developers for troubleshooting network issues, monitoring network traffic, and analyzing protocol behavior. Under the hood, `tcpdump` uses the libpcap library, which provides a portable framework for low-level network monitoring. This same library is used by many other network tools, including Wireshark (the popular graphical packet analyzer). One of the most powerful features of `tcpdump` is its ability to filter packets using Berkeley Packet Filter (BPF) expressions. These expressions allow users to specify precisely which packets they're interested in, based on criteria such as protocols, addresses, ports, packet sizes, and even content. For example, a filter like `tcp port 80 and host 192.168.1.100` would capture only TCP traffic on port 80 (HTTP) involving the specified host. When running `tcpdump`, it's important to understand that it typically requires administrative privileges (root or sudo) because it needs direct access to network interfaces at a low level. However, modern versions provide the `-Z` option to drop privileges after opening the capture device, which improves security. The output of `tcpdump` can be customized in various ways. By default, it provides a summary line for each packet, showing timestamp, protocol information, addresses, ports, and some basic flags or options. With increased verbosity levels (`-v`, `-vv`, `-vvv`), it displays more details about the packets. Options like `-X` and `-A` allow viewing packet contents in hexadecimal and ASCII formats. Capture files generated by `tcpdump` (using the `-w` option) can be read later with `tcpdump -r` or opened in other tools like Wireshark for more detailed analysis. This capability is particularly useful for capturing traffic during an incident and analyzing it later in a controlled environment. It's worth noting that while `tcpdump` is primarily a monitoring tool, excessive use on high-traffic networks can impact performance. Users should be judicious with their filters to capture only the traffic relevant to their analysis. Despite the availability of graphical tools, `tcpdump` remains indispensable for network professionals because of its efficiency, scriptability, and ability to run in environments without graphical interfaces, such as remote servers or network appliances.

    Related Commands

    These commands are frequently used alongside tcpdump or serve similar purposes:

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the tcpdump command works in different scenarios.

    $ tcpdump
    View All Commands