BestHub
Sign in
Information Security 5 min read

Master TCPDump: Install, Capture, Filter, and Analyze Network Packets on Linux

This guide explains how to install TCPDump on various platforms, list network interfaces, capture traffic, apply filters by IP, port, or protocol, save and read capture files, and use advanced options like limiting packet count and displaying packet contents, empowering network and security professionals.

DevOps Operations Practice
DevOps Operations Practice
DevOps Operations Practice
Master TCPDump: Install, Capture, Filter, and Analyze Network Packets on Linux

1. Install TCPDump

TCPDump is often pre‑installed on many Linux distributions. If it is missing, install it with the appropriate package manager:

# Debian/Ubuntu
sudo apt install tcpdump
# CentOS/RHEL
sudo yum install tcpdump
# macOS (via Homebrew)
br ew install tcpdump

Verify the installation:

tcpdump --version

2. Basic Usage

1. List available network interfaces

tcpdump -D

Example output:

1.eth0
2.wlan0
3.lo (Loopback)

2. Capture all traffic on an interface

sudo tcpdump -i eth0

Press Ctrl+C to stop.

3. Save captured data to a file

sudo tcpdump -i eth0 -w capture.pcap

The file can be opened with Wireshark for further analysis.

4. Read a capture file

tcpdump -r capture.pcap

3. Filtering Packets

1. Filter by IP

# Traffic from 192.168.1.100
sudo tcpdump -i eth0 host 192.168.1.100
# Destination IP 8.8.8.8
sudo tcpdump -i eth0 dst 8.8.8.8
# Source IP 192.168.1.1
sudo tcpdump -i eth0 src 192.168.1.1

2. Filter by port

# HTTP traffic on port 80
sudo tcpdump -i eth0 port 80
# HTTPS destination port 443
sudo tcpdump -i eth0 dst port 443
# SSH source port 22
sudo tcpdump -i eth0 src port 22

3. Filter by protocol

# ICMP (ping) traffic
sudo tcpdump -i eth0 icmp
# TCP traffic
sudo tcpdump -i eth0 tcp
# UDP traffic
sudo tcpdump -i eth0 udp

4. Combine filters

# Traffic from 192.168.1.100 on port 80
sudo tcpdump -i eth0 "host 192.168.1.100 and port 80"
# Exclude HTTP/HTTPS traffic
sudo tcpdump -i eth0 "not (port 80 or port 443)"

4. Advanced Usage

1. Limit the number of captured packets

# Stop after capturing 10 packets
sudo tcpdump -i eth0 -c 10

2. Show packet contents (hex + ASCII)

sudo tcpdump -i eth0 -X

3. Capture HTTP requests (display URLs)

sudo tcpdump -i eth0 -A "tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"

4. Capture DNS queries

sudo tcpdump -i eth0 port 53

5. Conclusion

TCPDump is an essential tool for network engineers, security researchers, and operations staff. Combined with Wireshark, it provides powerful packet‑level insight, enabling you to troubleshoot, analyze, and understand network traffic like a pro.

packet analysistcpdumpnetwork capture
DevOps Operations Practice
Written by

DevOps Operations Practice

We share professional insights on cloud-native, DevOps & operations, Kubernetes, observability & monitoring, and Linux systems.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment