tcpdump: Command-Line Packet Capture

When something breaks on a remote server at 2am and you're connected over SSH, you can't install Wireshark. But you have tcpdump. It's already there, waiting on nearly every Unix-like system, ready to show you exactly what's happening on the wire.

Every packet tells a story: who spoke, who answered, and what they said. tcpdump lets you read those stories.

Your First Capture

The simplest command captures everything on your default interface:

sudo tcpdump

Packet summaries scroll past—timestamps, sources, destinations, protocols. On a busy network, this firehose of information overwhelms. You need filters.

To capture on a specific interface:

sudo tcpdump -i eth0

Not sure which interfaces exist? List them:

tcpdump -D

Saving Captures

Real-time analysis works for quick checks, but complex problems need saved captures:

sudo tcpdump -w capture.pcap

The .pcap format is universal—open it later with tcpdump or transfer it to Wireshark for graphical analysis:

tcpdump -r capture.pcap

On busy networks, limit what you capture:

sudo tcpdump -c 100 -w capture.pcap

This stops after exactly 100 packets. For long-running captures, rotate files:

sudo tcpdump -w capture.pcap -C 10 -W 5

This creates 10 MB files, keeping only the 5 most recent (capture.pcap0 through capture.pcap4).

Filtering: Finding the Signal

The real power of tcpdump is filtering. Without filters, you're drowning in noise. With them, you see exactly the conversation you care about.

Capture traffic involving one host:

sudo tcpdump host 192.168.1.100

Capture traffic in one direction:

sudo tcpdump src host 192.168.1.100
sudo tcpdump dst host 192.168.1.100

Filter by network:

sudo tcpdump net 192.168.1.0/24

Filter by port:

sudo tcpdump port 80
sudo tcpdump src port 80
sudo tcpdump dst port 80

Filter by protocol:

sudo tcpdump icmp
sudo tcpdump tcp
sudo tcpdump udp

Combining Filters

Logical operators create precise filters:

# Both conditions must match
sudo tcpdump host 192.168.1.100 and port 80

# Either condition matches
sudo tcpdump port 80 or port 443

# Exclude traffic
sudo tcpdump not port 22

# Complex grouping (quotes prevent shell interpretation)
sudo tcpdump '(port 80 or port 443) and host 192.168.1.100'

Seeing More

Packet summaries show metadata. To see actual content:

# Hex and ASCII
sudo tcpdump -X

# More protocol details
sudo tcpdump -v    # verbose
sudo tcpdump -vv   # more verbose
sudo tcpdump -vvv  # maximum detail

Disable name resolution for speed and clarity:

sudo tcpdump -n    # no DNS lookups
sudo tcpdump -nn   # no DNS or port name lookups

This prevents tcpdump from making DNS queries that might affect what you're diagnosing.

Reading the Output

A TCP packet looks like:

10:30:45.123456 IP 192.168.1.100.54321 > 203.0.113.50.80: Flags [S], seq 1234567890, win 65535, length 0

Breaking it down:

• 10:30:45.123456 — timestamp
• 192.168.1.100.54321 — source IP and port
• 203.0.113.50.80 — destination IP and port
• Flags [S] — TCP flags (S = SYN)
• seq 1234567890 — sequence number
• win 65535 — window size
• length 0 — payload bytes (0 for a SYN)

TCP flags tell the story:

• [S] — SYN: "I want to connect"
• [S.] — SYN-ACK: "Connection accepted"
• [.] — ACK: "Got it"
• [P] — PSH: "Here's data, process it now"
• [F] — FIN: "I'm done"
• [R] — RST: "Connection refused" or "Something's wrong"

Practical Troubleshooting

Can't reach a web server?

sudo tcpdump -n host server.example.com and port 80

Try accessing the server while tcpdump runs. SYN packets going out but no SYN-ACK coming back? The server isn't responding. RST packets? Something is actively refusing the connection. The packets don't lie.

DNS problems?

sudo tcpdump -n port 53

Watch queries go out and responses come back. See which DNS server you're hitting and what it returns.

Capturing without capturing yourself?

sudo tcpdump -w capture.pcap not port 22

Excludes your SSH session from the capture.

See all broadcast traffic:

sudo tcpdump -n '(broadcast or multicast)'

Advanced Filters

Capture only TCP SYN packets (connection attempts):

sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0'

Capture TCP RST packets (resets):

sudo tcpdump 'tcp[tcpflags] & tcp-rst != 0'

Capture HTTP GET requests:

sudo tcpdump -s 0 -A 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

This examines TCP payload for the bytes "GET " (0x47455420). The -s 0 captures full packets; -A displays as ASCII.

Piping to Wireshark

Capture on a remote server, analyze locally:

# On remote server
sudo tcpdump -w capture.pcap -c 1000

# Copy and open
scp user@server:/path/to/capture.pcap .
wireshark capture.pcap

For real-time remote analysis:

ssh user@server 'sudo tcpdump -w - -U' | wireshark -k -i -

The -U forces per-packet output; -w - writes to stdout. Wireshark's -k -i - starts immediately, reading from stdin.

Security Considerations

tcpdump captures everything—passwords, tokens, private data. Treat capture files as sensitive. Delete them when done.

It requires root because it puts interfaces into promiscuous mode, capturing all visible traffic including packets not addressed to your system.

On switched networks, you mainly see broadcast, multicast, and traffic destined for you. To capture traffic between other hosts, you need port mirroring or network taps.