Master tcpdump: Essential Commands and Parameter Guide for Network Analysis
This guide explains tcpdump’s core features, common parameters, filtering expressions, packet format details, and practical command examples, helping users capture and analyze network traffic effectively while noting important usage considerations.
tcpdump is a powerful command‑line packet analyzer that captures all network traffic by listening on a server’s network interface, offering filters to target specific networks, ports, or protocols.
Key Parameters
Below are the most frequently used options:
-c count : Stop after capturing the specified number of packets.
-C file_size : Rotate output files when they reach the given size (bytes).
-D : List all available interfaces; tcpdump defaults to the lowest‑numbered one (usually eth0).
-i interface : Choose the interface to listen on; any captures from all interfaces.
-n : Prevent DNS lookup, showing raw IP addresses.
-q : Produce concise output, showing only essential packet information.
-r file : Read packets from a saved file instead of the network.
-t : Omit timestamps from the output.
-w file : Write captured packets to a file for later analysis.
-W filecount : Limit the number of rotated output files.
Common Filtering Keywords
host : Filter by IP address, e.g., tcpdump host 192.168.1.110.
src : Filter by source address, e.g., tcpdump src host 192.168.1.110.
dst : Filter by destination address.
port : Filter by port number, e.g., tcpdump port 8080.
net : Filter by network prefix, e.g., tcpdump net 192.168.
and / not / or : Combine expressions, e.g., tcpdump net 192.168 and port 8080.
Packet Output Fields
A typical tcpdump line includes:
Timestamp (e.g., 20:17:43.496528)
IP protocol label
Source > Destination : IP and port of sender and receiver, with protocol names like http, ssh, etc.
Flags : TCP flags such as [R] for reset.
seq/ack/fin : Sequence, acknowledgment, and finish numbers indicating TCP handshake state.
win : Window size.
length : Payload length, useful for quick validation of data receipt.
For deeper analysis, save packets with -w and examine them in Wireshark.
Common Command Combinations
tcpdump -i any port 8080tcpdump -i any src host 192.168.1.110 and dst host 192.168.1.111tcpdump -i any src net 192.168 and 'src host not 192.168.1.110'tcpdump -i any port 8080 -w dump.logImportant Notes
Run tcpdump with administrative privileges (sudo or root).
The length field allows only basic checks; for detailed inspection, use tools like Wireshark.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.