Master tcpdump: Essential Options, Expressions, and Real‑World Examples

Preface

tcpdump uses a command‑line interface to filter and capture packets on a network interface, offering rich functionality through flexible expressions.

1 tcpdump Options

The basic command format is:

tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ]
        [ -s snaplen ] [ -w file ] [ expression ]

Capture options:

-c : specify the number of packets to capture (the final count, not the number processed).

-i : specify the interface to listen on; if omitted, the smallest‑numbered non‑loopback interface is used. Use any to capture on all interfaces.

-n : display addresses numerically, disabling name resolution.

-nn : like -n but also show ports as numbers.

-N : omit the domain part of host names.

-P : select inbound ( in), outbound ( out) or both ( inout) packets; default is inout.

-s len : set snap length; smaller values reduce capture time and memory usage, but must be large enough to include needed data.

Output options:

-e : include link‑layer header information (e.g., source and destination MAC).

-q: quiet output, minimal protocol details.

-X: display packet data in both hex and ASCII.

-XX: more detailed hex/ASCII dump.

-v, -vv, -vvv: increase verbosity.

Other functional options:

-D: list available interfaces.

-F: read capture filter from a file.

-w: write captured packets to a file (optionally with -G time to rotate files).

-r: read packets from a file.

Commonly used shortcuts include:

tcpdump -D

tcpdump -c 5 -i eth0 -nn -XX -vvv

2 tcpdump Expressions

Expressions filter which packets are displayed. Without an expression, all packets are shown; otherwise only packets for which the expression evaluates to true are printed. Shell metacharacters should be quoted.

Expressions consist of one or more units, each typically containing a modifier and an identifier. Modifiers are:

type : specifies the identifier type (host, net, port, portrange). Default is host.

dir : direction (src, dst, src or dst). Default is src or dst.

proto : protocol (tcp, udp, arp, ip, ether, icmp, etc.).

A basic unit looks like the diagram below:

Keyword units such as gateway, broadcast, less, greater and arithmetic expressions are also supported.

Units can be combined with logical operators and / && / or / || / not / !. For example:

host qin251 and not port ftp and not port ftp-data

Parentheses () alter precedence; they must be escaped for the shell (e.g., \( \)) and often quoted.

3 tcpdump Examples

Note: tcpdump captures only traffic that traverses the local host.

Default start: tcpdump (captures on the first non‑loopback interface).

Capture on a specific interface: tcpdump -i eth1.

Capture traffic for a specific host: tcpdump host qll251.

Capture between two hosts: tcpdump host helios and \( hot or ace \).

Capture traffic to host ace but exclude helios: tcpdump ip host ace and not helios.

Capture all traffic sent by host qll251: tcpdump src host qll251.

Capture all traffic destined for host qll251: tcpdump dst host qll251.

Capture traffic for a host and port: tcpdump tcp port 22 and host qll251.

Monitor UDP port 123 (NTP): tcpdump udp port 123.

Capture 10 packets on network 192.168: tcpdump -c 10 net 192.168.

Capture FTP traffic through gateway snup: tcpdump 'gateway snup and (port ftp or ftp-data)'.

Capture ICMP ping packets: tcpdump -c 5 -nn -i eth0 icmp.

Capture ping from a specific source: tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62.

Capture traffic to local port 22: tcpdump -c 10 -nn -i eth0 tcp dst port 22.

Detailed packet analysis: tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22.

Save capture to file: tcpdump -c 5 -nn -i eth0 icmp -w ./ping.pcap.

Analyze saved file with Wireshark: install with yum -y install wireshark*, then run wireshark ping.pcap.

In summary, mastering a few key options (‑nn, ‑XX, ‑vvv, ‑i, ‑c, ‑q) and combining them with expressive filters makes tcpdump a powerful tool for packet capture.