Master Linux Packet Capture: A Hands‑On Guide to Using tcpdump

Understanding how to capture and analyze network traffic is essential for diagnosing problems and learning protocol behavior; this guide walks you through the Linux packet‑capture mechanism and the powerful tcpdump tool.

Part 1 – Linux Packet‑Capture Principle

Linux captures packets by registering a virtual network protocol that intercepts messages from the network device. When a packet arrives, the kernel iterates over all registered protocols (e.g., Ethernet, X.25) and lets the first one that claims the packet process it, similar to how file‑system mounts work.

The capture module pretends to be a protocol, receives a copy of each packet, and reports it to the user.

Part 2 – Introduction to tcpdump

tcpdump is a command‑line utility for capturing packets on a network interface. It works by reading raw data from the NIC and can save the output for later analysis with tools like Wireshark.

By default tcpdump does not capture traffic that stays within the host; to capture other hosts' traffic you must enable promiscuous mode (root only).

Part 3 – Using tcpdump

1. Install tcpdump (if not already present)

[root@verysu ~]# tcpdump -h
-bash: tcpdump: command not found

Install via yum: [root@verysu ~]# yum -y install tcpdump After installation, verify the version:

[root@verysu ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] ...

Key options include: -A: print each packet in ASCII -a: resolve addresses to names -c <count>: stop after capturing a given number of packets -i <interface>: select the network interface (e.g., eth0) -w <file>: write captured packets to a file -n: show numeric IP addresses -p: do not put the interface into promiscuous mode

2. Basic capture commands

Capture all traffic on the first interface (equivalent to tcpdump -i eth0): # tcpdump // (first NIC) Capture traffic to/from a specific host (e.g., Google): # tcpdump -i eth0 host www.google.com Capture packets from a specific MAC address or IP range using filters such as:

# tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

Capture only IP packets from a host while excluding another: # tcpdump ip host ace and not helios When capturing on the same host, traffic may only pass through the lo interface, not the physical NIC.

Part 4 – Saving Captured Data

To save packets for later analysis with Wireshark: # tcpdump tcp -w test.pcap The resulting .pcap file can be opened in Wireshark for detailed inspection.