Master tcpdump: Complete Guide to Capturing and Analyzing Network Traffic

This article introduces tcpdump, a powerful command‑line packet capture tool for Unix, and compares it with the graphical Wireshark.

1. tcpdump Core Parameters Illustrated

To capture only the packets you need, you must define precise filters. Tcpdump parameters are combined to form these filters.

Example: $ tcpdump host 192.168.10.100 Parameters are composed of main program + parameter name + parameter value. Tcpdump also allows prefixes such as src before host to narrow the scope.

2. Understanding tcpdump Output

2.1 Output Structure

Sample output line:

21:26:49.013621 IP 172.20.20.1.15605 > 172.20.20.2.5920: Flags [P.], seq 49:97, ack 106048, win 4723, length 48

The columns represent time, protocol, source IP and port, direction arrow, destination IP and port, and packet details such as flags, sequence numbers, acknowledgment, window size, and length.

2.2 Flags

[S]

: SYN (start connection) [P]: PSH (push data) [F]: FIN (end connection) [R]: RST (reset connection) [.]: ACK (no flag, usually indicates acknowledgment)

3. Common Filtering Rules

3.1 Filter by IP address (host)

$ tcpdump host 192.168.10.100

3.2 Filter by network (net)

$ tcpdump net 192.168.10.0/24

3.3 Filter by port

$ tcpdump port 8088

Ports can be filtered as source, destination, or both, and ranges can be specified with portrange.

3.4 Filter by protocol (proto)

$ tcpdump icmp

3.5 Filter by IP version

$ tcpdump 'ip proto tcp'

$ tcpdump ip6 proto 6

4. Optional Parameter Explanation

4.1 Disable DNS resolution

-n

: Do not resolve hostnames. -nn: Do not resolve protocol names or port numbers. -N: Do not print the domain part of hostnames.

4.2 Write captured packets to a file

$ tcpdump icmp -w icmp.pcap

4.3 Read packets from a file

$ tcpdump icmp -r all.pcap

4.4 Control output detail

-v

: Verbose output. -vv: More verbose. -vvv: Most verbose.

4.5 Control time display

-t

: No timestamp. -tt: Timestamp. -ttt: Time delta between lines. -tttt: Date and time.

4.6 Show packet headers

-x

: Hex dump of packet headers (no link‑layer). -xx: Hex dump including link‑layer. -X: Hex and ASCII of packet data (no link‑layer). -XX: Hex and ASCII including link‑layer.

4.7 Capture on a specific interface

$ tcpdump -i eth0 ...

4.8 Capture direction

$ tcpdump -Q in

4.9 Other useful flags

-A

: ASCII output of packet payload. -l: Line‑buffered output. -q: Quiet output. -c: Capture a specific number of packets. -s: Snap length (default 96 bytes; -s 0 captures full packet). -S: Use absolute TCP sequence numbers. -C: Rotate output file when it reaches a size. -F: Read filter expression from a file.

5. Combining Filtering Rules

Logical operators and (or &&), or (or ||), and not (or !) can be used. Parentheses must be quoted in the shell.

$ tcpdump src 10.5.2.3 and dst port 3389

$ tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

6. Special Filtering Rules

6.1 Filter by TCP flags

Tcpdump supports expressions such as: tcp[tcpflags] & tcp-syn != 0 or using numeric offsets:

tcp[13] & 2 != 0

6.2 Filter by packet size

$ tcpdump less 32

6.3 Filter by MAC address

$ tcpdump ether host 00:11:22:33:44:55

6.4 Filter broadcast/multicast

$ tcpdump ether broadcast

7. How to Capture More Precise Packets?

Example: capture only HTTP POST requests.

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

The expression extracts the data offset, then compares the first four payload bytes with the hexadecimal representation of "POST".

8. Practical tcpdump Examples

8.1 Extract HTTP User‑Agent

$ tcpdump -nn -A -s1500 -l | grep "User-Agent:"

8.2 Capture HTTP GET and POST

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

8.3 Find the IP that sends the most packets

$ tcpdump -nnn -t -c 200 | cut -f1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

8.4 Capture DNS traffic

$ tcpdump -i any -s0 port 53

8.5 Split pcap files

$ tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200

8.6 Extract passwords from HTTP POST

$ tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

8.7 Extract HTTP request URLs

$ tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

8.8 Capture only HTTP payload (exclude SYN/FIN/ACK)

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

8.9 Real‑time analysis with Wireshark

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -