Master tcpdump: Essential Commands for Network Packet Capture

Introduction

tcpdump is a network packet capture tool that supports filtering by network layer, protocol, host, network or port, and provides logical operators such as and, or, not to discard irrelevant information.

Basic Usage Examples

Capture on default interface

tcpdump

Capture on a specific interface

tcpdump -i en0

Capture traffic between local host and a remote host

tcpdump host 182.254.38.55

Capture traffic from a specific source or destination

tcpdump src host hostname

tcpdump dst host hostname

Capture traffic on a specific port

tcpdump port 3000

Capture only TCP or UDP packets

tcpdump tcp

Combine filters (source host, port, protocol)

tcpdump tcp port 22 and src host 123.207.116.169

Capture traffic between two hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

Capture HTTP traffic from a specific host

sudo tcpdump -i any -s 0 -A 'tcp port 80 and host example.com'

Limit number of captured packets

tcpdump -c 1000

Save capture to file

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Force immediate write to disk (use -U)

tcpdump -U ...

Practical Troubleshooting Example

In a typical setup where Nginx reverse‑proxies requests to a Node.js server listening on port 3000, you can use tcpdump to verify whether traffic reaches the backend. First, capture packets on the port used by Nginx: tcpdump port 8383 If no output appears, capture on the loopback interface because Nginx forwards to 127.0.0.1: tcpdump port 8383 -i lo To filter by the client IP address:

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, verify the request reaches the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117