BestHub
Sign in
Operations 11 min read

Master tcpdump: Install, Capture, and Filter Network Packets on Linux

This guide walks you through installing tcpdump on Linux, then demonstrates how to capture packets from specific interfaces, hosts, sources, destinations, and ports, including saving captures to files and using advanced filter expressions for precise network monitoring.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master tcpdump: Install, Capture, and Filter Network Packets on Linux

Installation

yum install tcpdump

Command Usage

Monitor a Specific Network Interface

Capture all packets on the default interface (eth0):

[root@server110 tcpdump]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:58:14.441562 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956277183:2956277391, ack 2178083060, win 336, length 208
... (additional sample output) ...

Capture packets on a chosen interface:

[root@server110 tcpdump]# ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:DE:05:94
          inet addr:18.16.200.110  Bcast:18.16.200.255  Mask:255.255.255.0
... (additional ifconfig output) ...
[root@server110 tcpdump]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:59:43.529881 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956715807:2956716015, ack 2178087524, win 336, length 208
... (additional sample output) ...

Monitor a Specific Host

[root@server110 tcpdump]# tcpdump host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:16.334596 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2957160543:2957160751, ack 2178097380, win 336, length 208
... (additional sample output) ...

Specific Source

[root@server110 tcpdump]# tcpdump src host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:30.681395 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 2957168815, win 16420, length 0
... (additional sample output) ...

Specific Destination Address

[root@server110 tcpdump]# tcpdump dst host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:09:27.404603 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2958878511:2958878719, ack 2178100804, win 336, length 208
... (additional sample output) ...

Monitor a Specific Port

[root@server110 tcpdump]# tcpdump port 8083 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:10:31.361199 IP (tos 0x0, ttl 127, id 19231, offset 0, flags [DF], proto TCP (6), length 52)
    18.16.202.169.14626 > server110.us-srv: Flags [S], cksum 0x3315 (correct), seq 2299766793, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
... (additional sample output) ...

Capture TCP Traffic and Save to abc.cap

[root@server110 tcpdump]# tcpdump tcp port 8083 -w ./abc.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C15 packets captured
15 packets received by filter
0 packets dropped by kernel

Result: 15 packets captured, containing only TCP/HTTP format data.

A Slightly More Complex Example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
tcp: ip icmp arp rarp and tcp, udp, icmp options must be placed as the first argument to filter packet types. -i eth1: capture only packets passing through interface eth1. -t: omit timestamps. -s 0: capture the full packet length (default is 68 bytes). -c 100: capture only 100 packets. dst port ! 22: exclude packets whose destination port is 22. src net 192.168.1.0/24: source network address is 192.168.1.0/24. -w ./target.cap: save to a .cap file for analysis with Wireshark.
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxPacket CaptureNetwork Monitoringtcpdump
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment