Master tcpdump: Essential Commands for Capturing and Analyzing Network Traffic
This guide explains how to use tcpdump on Linux to capture packets, filter by ports, hosts, interfaces or protocols, save output for later analysis, and interpret both human‑readable and hexadecimal dumps, with practical examples and tips for integrating Wireshark.
Basic Usage
The simplest way to start capturing packets is to run tcpdump without any options, which prints a live, human‑readable stream of packet headers to the console.
Useful Options
To avoid being flooded by SSH traffic, exclude port 22: tcpdump not port 22 You can combine multiple exclusions, for example: tcpdump not port 143 and not port 25 and not port 22 To capture only a specific port (useful for debugging a service), specify the port directly: tcpdump port 143 To filter traffic from or to a particular host: tcpdump host hal9000 If the machine has several network interfaces, select one with -i: tcpdump -i eth1 To capture only a certain protocol, such as UDP, use the protocol name: tcpdump udp A full list of protocol names is available in /etc/protocols.
Saving Output
Redirect the capture to a file for later analysis while still watching the live output: tcpdump -l | tee tcpdump_`date +%Y%m%d-%H.%M` To store the raw packets in binary format (compatible with Wireshark/Ethereal), use the -w flag: tcpdump -w tcpdump_raw_`date +%Y%m%d-%H.%M` Read a previously saved binary dump with:
tcpdump -r tcpdump_raw_YYYYMMDD-H.MAnalyzing with Wireshark/Ethereal
The binary file can be opened in Wireshark (formerly Ethereal) to view detailed packet contents, including source and destination IPs, ports, protocol types, and payload data, which greatly simplifies troubleshooting network issues.
Reading Raw Dumps
Even the default text output can be cryptic. For example, a line like:
17:26:22.924493 IP www.linux.org.www > test.linux.org.34365: P 2845:3739(894) ack 1624 win 9648 <nop,nop,timestamp 326501459 24374272>means a TCP PUSH packet from www.linux.org (port 80) to test.linux.org (port 34365). The numbers indicate sequence ranges and packet length; ack 1624 shows the acknowledgment number, and win 9648 is the advertised window size.
Hexadecimal Output
Adding the -x option includes a hex dump of each packet, making it possible to see the exact payload bytes. An example fragment:
0x0000: 4500 05dc 6a81 4000 4006 493b c0a8 0006
0x0010: c0a8 0009 0050 86e8 8fa4 1d47 1c33 e3af
0x0020: 8010 1920 b4d9 0000 0101 080a 13a0 7a77
0x0030: 019e 5f14 4854 5450 2f31 2e31 2032 3030
0x0040: 204f 4b0d 0a44 6174 653a 2054 6875 2c20
0x0050: 3135This hex view reveals the underlying HTTP request and headers, confirming the packet’s purpose even when the textual description is ambiguous.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.