Master Tcpdump: Essential Linux Packet Capture Commands and Tips

Tcpdump is a classic Linux network packet capture tool that intercepts and displays TCP/IP and other packets on a host.

It works on most Unix-like systems (Linux, BSD, etc.) and operates via command‑line with flexible filter expressions.

Basic Usage

Running tcpdump without options captures packets on the first non‑loopback interface until the process is terminated.

shell> tcpdump -nn -i eth0 icmp

Common Options

-c

: capture a specific number of packets. -i <interface>: select the interface (default is the first one; use any for all). -n: show numeric addresses. -nn: numeric addresses and ports. -N: omit domain name part of hostnames. -P: specify direction ( in, out, inout). -s <len>: set snapshot length (default 65535).

Output Options

-e

: include link‑layer header. -q: quick output, minimal protocol info. -X: hex and ASCII dump of packet headers. -XX: hex and ASCII dump of full packet. -v, -vv, -vvv: increasing verbosity.

Functional Options

-D

: list available interfaces. -F <file>: read filter expression from a file. -w <file>: write captured packets to a file (can be combined with -G for time‑based rotation). -r <file>: read packets from a file.

Filter Expressions

Expressions consist of optional modifiers (type, dir, proto) followed by an identifier. Types include host, net, port, portrange. Directions are src, dst. Protocols include tcp, udp, arp, ip, icmp, etc.

Examples:

"host foo and not port ftp"

"tcp dst port 22"

Sample Commands

List interfaces: tcpdump -D Capture 10 ICMP packets on eth0: tcpdump -c 10 -nn -i eth0 icmp Capture traffic to/from host helios and ace: tcpdump host helios and (hot or ace) Capture packets destined for port 22: tcpdump -c 10 -nn -i eth0 tcp dst port 22 For detailed packet analysis, combine options such as -vvv -XX -nn and specify the interface and filter.