~/ linuxnetwork.net

tcpdump – Command-Line Packet Analyzer: A Comprehensive Guide

In the realm of network troubleshooting, monitoring, and security analysis, understanding the flow of data across a network is critical. tcpdump is a powerful, open-source command-line packet analyzer that allows users to capture and inspect network traffic in real time or from pre-saved files. Developed in the 1980s, tcpdump has become a staple tool for network engineers, system administrators, and security professionals due to its flexibility, lightweight nature, and deep integration with the operating system’s packet capture infrastructure (via libpcap).

Unlike graphical tools like Wireshark, tcpdump operates entirely in the terminal, making it ideal for remote servers, headless systems, or environments where GUI access is limited. Its strength lies in its ability to filter traffic with precision using Berkeley Packet Filter (BPF) syntax, enabling users to isolate specific protocols, IP addresses, ports, or packet characteristics.

This blog will guide you through tcpdump’s installation, basic and advanced usage, common filters, best practices, and troubleshooting tips. By the end, you’ll be equipped to leverage tcpdump for network diagnostics, security auditing, and traffic analysis.

Table of Contents#

  1. Installation
  2. Basic Syntax
  3. Understanding the Output
  4. Common Use Cases & Filters
  5. Advanced Usage
  6. Best Practices
  7. Troubleshooting Common Issues
  8. Example Scenarios
  9. References

Installation#

tcpdump is pre-installed on most Linux and macOS systems. For Windows, it can be run via WSL (Windows Subsystem for Linux) or with WinPcap (a Windows port of libpcap). Below are installation steps for common operating systems:

Linux#

  • Debian/Ubuntu: 
    sudo apt update && sudo apt install tcpdump
  • RHEL/CentOS: 
    sudo yum install tcpdump   # RHEL 7/CentOS 7
sudo dnf install tcpdump   # RHEL 8+/CentOS 8+
  • Fedora: 
    sudo dnf install tcpdump

macOS#

tcpdump is pre-installed. Verify with:

tcpdump --version

If missing, install via Homebrew:

brew install tcpdump

Windows#

  • WSL: Install a Linux distribution (e.g., Ubuntu) via the Microsoft Store, then follow the Linux installation steps.
  • WinPcap/Npcap: Install WinPcap or Npcap (recommended for modern systems), then use a tool like tcpdump for Windows or WSL.

Basic Syntax#

The core syntax of tcpdump is:

tcpdump [options] [filter expression]
  • Options: Modify behavior (e.g., save to file, limit packets, verbosity).
  • Filter Expression: Uses BPF syntax to isolate specific traffic (e.g., port 80, host 192.168.1.1).

Key Options#

OptionDescription
-i <interface>Specify the network interface to capture on (e.g., eth0, wlan0). Use any to capture on all interfaces.
-w <file>Save captured packets to a file (binary format, readable by tcpdump/Wireshark).
-r <file>Read packets from a saved file.
-c <count>Stop after capturing <count> packets.
-nDisable DNS resolution (show IP addresses instead of hostnames).
-nnDisable DNS resolution for both IPs and ports (show port numbers instead of service names).
-v, -vv, -vvvIncrease verbosity (more details about packets).
-XShow packet data in hex and ASCII.
-XXShow full packet data (including link-layer headers) in hex and ASCII.
-s <snaplen>Set snapshot length (bytes to capture per packet; default 65535). Use -s 0 to capture entire packets.

Understanding the Output#

By default, tcpdump prints a summary of each captured packet. Let’s break down a sample output line:

12:34:56.789012 IP 192.168.1.100.49152 > 203.0.113.5.80: Flags [S], seq 123456789, win 65535, options [mss 1460,sackOK,TS val 12345 ecr 0,nop,wscale 7], length 0
  • Timestamp: 12:34:56.789012 (local time by default; use -t for no timestamp, -tttt for full date).
  • Protocol: IP (could also be ARP, ICMP, etc.).
  • Source: 192.168.1.100.49152 (IP:port).
  • Destination: 203.0.113.5.80 (IP:port).
  • TCP Flags: [S] (SYN flag; other flags: [.] (ACK), [P] (PSH), [R] (RST), [F] (FIN)).
  • Sequence Number: seq 123456789.
  • Window Size: win 65535 (bytes available in the receive buffer).
  • Options: TCP options (e.g., mss = maximum segment size, sackOK = selective ACK enabled).
  • Length: length 0 (payload size in bytes; 0 for SYN packets).

Common Use Cases & Filters#

Filters are the heart of tcpdump. They let you focus on relevant traffic using BPF syntax. Below are common filters and examples.

Capturing on a Specific Interface#

List all interfaces first:

tcpdump -D   # Lists available interfaces (e.g., eth0, wlan0, lo)

Capture on eth0:

tcpdump -i eth0

Filtering by Protocol#

Capture only TCP traffic:

tcpdump tcp

Capture only UDP traffic:

tcpdump udp

Capture ICMP (e.g., ping) traffic:

tcpdump icmp

Filtering by Port#

Capture traffic on port 80 (HTTP):

tcpdump port 80

Capture traffic on port range 1000-2000:

tcpdump portrange 1000-2000

Capture source port 22 (SSH):

tcpdump src port 22

Capture destination port 443 (HTTPS):

tcpdump dst port 443

Filtering by IP Address#

Capture traffic to/from 192.168.1.100:

tcpdump host 192.168.1.100

Capture source IP 10.0.0.5:

tcpdump src host 10.0.0.5

Capture destination IP 203.0.113.0/24 (CIDR range):

tcpdump dst net 203.0.113.0/24

Filtering by TCP Flags#

TCP flags are critical for analyzing connections (e.g., SYN for new connections, RST for reset). Use the tcp[13] field (TCP header flags) to filter:

  • SYN packets (new connection attempts): 
    tcpdump 'tcp[13] & 2 != 0'   # 2 = SYN flag
  • SYN-ACK packets (connection acceptance): 
    tcpdump 'tcp[13] & 18 != 0'  # 16 (ACK) + 2 (SYN) = 18
  • FIN packets (connection termination): 
    tcpdump 'tcp[13] & 1 != 0'   # 1 = FIN flag

Combining Filters with Logical Operators#

Use and, or, not (or &&, ||, !) to combine conditions:

  • Capture TCP on port 80 from 192.168.1.100: 
    tcpdump 'tcp port 80 and src host 192.168.1.100'
  • Capture UDP or ICMP traffic: 
    tcpdump 'udp or icmp'
  • Capture all traffic except port 22: 
    tcpdump 'not port 22'

Advanced Usage#

Saving Captures to a File#

To analyze traffic later or share with tools like Wireshark, save captures to a .pcap file:

tcpdump -i eth0 -w capture.pcap   # Save to capture.pcap

Note: The file is binary; use -r to read it later.

Reading Saved Captures#

Read a saved .pcap file and apply filters:

tcpdump -r capture.pcap port 80   # Read capture.pcap and filter port 80

Verbose and Detailed Output#

Use -v, -vv, or -vvv for more details (e.g., TTL, checksum, TCP options):

tcpdump -i eth0 -vv tcp port 443

Limiting Packet Count and Size#

Capture only 100 packets:

tcpdump -c 100

Capture full packets (no truncation):

tcpdump -s 0   # -s 0 captures the entire packet (default is 65535 bytes)

Hex and ASCII Dump#

View packet payloads in hex and ASCII with -X (excludes link-layer headers) or -XX (includes link-layer headers):

tcpdump -i eth0 -X port 80   # Show HTTP payloads in hex/ASCII

Best Practices#

  1. Run with Appropriate Privileges: tcpdump requires root/sudo to access raw network interfaces:

    sudo tcpdump [options]

  2. Limit Capture Scope: Avoid capturing all traffic on a busy interface (e.g., tcpdump -i any). Use filters to target specific traffic (e.g., port 443 and host 192.168.1.1).

  3. Secure Capture Files: Captures may contain sensitive data (passwords, API keys). Restrict file permissions:

    chmod 600 capture.pcap   # Only owner can read/write

  4. Avoid DNS Overhead: Use -n to disable DNS resolution, which speeds up captures and avoids leaking DNS queries.

  5. Rotate Large Captures: For long-term monitoring, use -G <seconds> to rotate files (e.g., -G 3600 creates a new file every hour) and -W <count> to limit the number of files:

    tcpdump -i eth0 -G 3600 -W 24 -w capture_%Y%m%d_%H%M%S.pcap   # 24 files, 1 per hour

  6. Clean Up: Delete unnecessary capture files after analysis to free disk space and reduce security risks.

Troubleshooting Common Issues#

  • "tcpdump: no suitable device found":
    Specify an interface with -i (e.g., tcpdump -i eth0). List interfaces with tcpdump -D.

  • "permission denied":
    Run with sudo (tcpdump needs root privileges to capture packets).

  • Filters Not Working:
    Ensure BPF syntax is correct (e.g., use and instead of && in filters). Test filters with tcpdump -d <filter> to debug BPF bytecode:

    tcpdump -d 'port 80 and host 192.168.1.1'

  • Capturing Too Much Data:
    Use -c to limit packet count, or filters to narrow traffic (e.g., src host 10.0.0.5).

Example Scenarios#

Scenario 1: Troubleshoot a Web Server (Port 80/443)#

Capture HTTP/HTTPS traffic to a server at 192.168.1.200:

sudo tcpdump -i eth0 -nn 'host 192.168.1.200 and (port 80 or port 443)'

Check for SYN packets (connection attempts) or RST packets (failed connections).

Scenario 2: Monitor DNS Queries (Port 53)#

Track DNS traffic to identify misconfigured resolvers:

sudo tcpdump -i eth0 -n udp port 53   # UDP is used for most DNS queries

Scenario 3: Detect SYN Flood Attacks#

A SYN flood sends many SYN packets without completing the TCP handshake. Detect with:

sudo tcpdump -i eth0 'tcp[13] & 2 != 0'   # Capture all SYN packets

If you see an unusually high number of SYN packets from a single IP, it may indicate an attack.

References#

By mastering tcpdump, you gain a powerful tool to diagnose network issues, secure systems, and understand traffic patterns. Start with simple filters, experiment with saving/reading captures, and gradually explore advanced use cases to become proficient.

2026-04