Master tcpdump: From Installation to Advanced Filtering for Fast Network Troubleshooting

Introduction

tcpdump is a powerful command‑line packet‑capture tool for Linux/Unix, useful for diagnosing connection timeouts, slow access, or service anomalies without a GUI.

Installation

Install via the package manager of your distribution:

# Ubuntu/Debian
sudo apt-get install tcpdump

# CentOS/RHEL
sudo yum install tcpdump

Basic Syntax

Command format:

tcpdump [options] [filter expression]

Common Options

-i INTERFACE   Specify the network interface (e.g., -i eth0 or -i any)
-n               Do not resolve hostnames (show raw IPs)
-nn              Do not resolve hostnames or port numbers
-X               Show packet contents in hex and ASCII
-XX              Show hex, ASCII, and Ethernet header
-c COUNT         Capture only COUNT packets then stop
-w FILE          Write captured packets to a file
-r FILE          Read packets from a file for analysis
-A               Display packet contents in ASCII (useful for HTTP)

Tip: When capturing on a remote server, limit the number of packets with -c or run the command with nohup to avoid blocking the SSH session.

Filter Expressions

By Host

# All traffic to or from 192.168.1.100
tcpdump host 192.168.1.100

# Only packets from the IP
tcpdump src host 192.168.1.100

# Only packets destined for the IP
tcpdump dst host 192.168.1.100

By Port

# Capture HTTP traffic
tcpdump port 80

# Capture only SSH connections
tcpdump port 22

# Exclude SSH traffic
tcpdump not port 22

By Protocol

# TCP only
tcpdump tcp

# UDP only
tcpdump udp

# ICMP (ping, etc.)
tcpdump icmp

Combined Conditions

# HTTP traffic involving a specific host
tcpdump host 192.168.1.100 and port 80

# DNS queries within a subnet
tcpdump net 192.168.1.0/24 and port 53

When using parentheses, wrap the entire expression in double quotes, e.g.:

tcpdump "host 192.168.1.100 and (port 80 or port 443)"

Practical Examples

Basic Network Fault Diagnosis

tcpdump -i eth0 -n -v host 10.0.0.5

Analyzes communication with a specific server to spot packet loss or abnormal responses.

HTTP Request Inspection

tcpdump -i eth0 -A -s 0 port 80

Displays HTTP request headers and parameters in ASCII.

Saving Capture Files

tcpdump -i eth0 -w /tmp/capture_$(date +%Y%m%d%H%M%S).pcap

Includes a timestamp in the filename to avoid overwriting existing files.

Advanced ARP and ICMP Joint Analysis

tcpdump "arp[14:4]=0x0a000005 or arp[24:4]=0x0a000005 or icmp"

Captures ARP requests/responses and ICMP messages for a specific IP, useful for connectivity debugging.

Common Problems and Solutions

Zero‑byte capture file – Cause: insufficient disk space. Solution: run df -h to check space and free or change the output directory.

Capture file only 24 bytes – Cause: wrong network interface selected. Solution: list interfaces with tcpdump -D or use -i any to capture from all interfaces.

Syntax error with parentheses – Solution: enclose the whole expression in double quotes, e.g. tcpdump "host 192.168.1.1 and (port 80 or port 443)".

Permission denied – Solution: run with sudo or set the SUID bit:

sudo chmod +s /usr/sbin/tcpdump

Using tcpdump with Wireshark

Capture on the server, save to a pcap file, then open it in Wireshark for graphical analysis: tcpdump -i eth0 -w /tmp/capture.pcap port 80 Or pipe directly over SSH:

ssh user@server "sudo tcpdump -i eth0 -w - port 80" | wireshark -k -i -

Best‑Practice Recommendations

Obtain proper authorization before capturing traffic in production.

Use precise filter expressions to reduce system load.

Apply -c to cap the number of packets and avoid exhausting disk space.

Delete temporary capture files after analysis.

Combine tcpdump with grep, awk, etc., for faster processing, e.g. tcpdump -i eth0 -nn port 80 2>&1 | grep "192.168.1".

Conclusion

Mastering tcpdump gives deep visibility into network traffic, enabling rapid diagnosis of connectivity issues, performance bottlenecks, and security threats. Practice in a test environment, refine your filters, and you’ll be ready to tackle real‑world network problems with confidence.