Master tcpdump: Essential Commands for Precise Network Packet Capture

Introduction

tcpdump is a network packet capture and analysis tool. It supports filtering by network layer, protocol, host, network, or port, and provides logical statements such as and, or, not to exclude irrelevant information.

tcpdump - dump traffic on a network

Examples

Without specifying any parameters

Listen on the first network interface for packets. A host may have multiple interfaces, so you often need to specify the interface.

tcpdump

Listen on a specific interface

tcpdump -i en0

Listen to a specific host

Example: monitor traffic between the local machine and host 182.254.38.55. tcpdump host 182.254.38.55 Note: both inbound and outbound packets are captured.

Capture traffic from a specific source or destination

Source: tcpdump src host hostname Destination: tcpdump dst host hostname If neither src nor dst is specified, packets with the given hostname as either source or destination are captured.

tcpdump host hostname

Specific port

tcpdump port 3000

Capture only TCP or UDP

To capture only TCP packets:

tcpdump tcp

Source host + port + TCP

Capture TCP packets from host 123.207.116.169 on port 22:

tcpdump tcp port 22 and src host 123.207.116.169

Capture communication between specific hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

This captures traffic between the two hosts, excluding other hosts.

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1) tcp: ip icmp arp rarp and tcp, udp, icmp options must appear first to filter packet types. (2) -i eth1: capture only packets on interface eth1. (3) -t: omit timestamps. (4) -s 0: capture the full packet length. (5) -c 100: capture only 100 packets. (6) dst port ! 22: exclude packets with destination port 22. (7) src net 192.168.1.0/24: source network address. (8) -w ./target.cap: save to a capture file for analysis with Wireshark.

Limit capture count

Stop after capturing 1000 packets:

tcpdump -c 1000

Save to local file

By default tcpdump buffers output; it writes to disk when the buffer is full or when the program exits. To force immediate writing, use -U (not recommended due to performance impact).

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Practical example

Consider a server running a Node.js application on port 3000 behind an Nginx reverse proxy listening on port 80, forwarding requests to 127.0.0.1:3000. If a client (183.14.132.117) reports no response, you can troubleshoot with tcpdump.

Check if the request reaches the Node.js server (e.g., via logs).

Verify Nginx forwards the request. Capture traffic on port 8383: tcpdump port 8383 If no output appears, the request may be using the loopback interface, requiring explicit interface selection: tcpdump port 8383 -i lo Ensure Nginx forwards the original host header; otherwise, the source host seen by Node.js will be 127.0.0.1, making the following capture ineffective:

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, capture the request reaching the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117