Master tcpdump: Real‑World Examples for Capturing and Analyzing Network Packets

Introduction

tcpdump is a network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and provides logical operators such as and, or, not to remove irrelevant information.

tcpdump - dump traffic on a network

Examples

Run without parameters

Listen on the first network interface for all packets. If a machine has multiple interfaces, you often need to specify which one.

tcpdump

Listen on a specific interface

tcpdump -i en0

Listen for a specific host

Capture traffic between the local machine and host 182.254.38.55. Both inbound and outbound packets are captured.

tcpdump host 182.254.38.55

Filter by source or destination address

tcpdump src host hostname

tcpdump dst host hostname

If neither src nor dst is specified, packets with the given hostname as either source or destination are captured.

tcpdump host hostname

Filter by specific port

tcpdump port 3000

Capture only TCP or UDP

Capture only TCP packets.

tcpdump tcp

Source host + port + TCP

Capture TCP packets from host 123.207.116.169 on port 22.

tcpdump tcp port 22 and src host 123.207.116.169

Capture traffic between specific hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

Capture traffic between 210.27.48.1 and 210.27.48.2.

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

tcp: specify protocol types (ip, icmp, arp, rarp, tcp, udp, etc.)

-i eth1: capture on interface eth1

-t: omit timestamps

-s 0: capture the full packet length

-c 100: stop after 100 packets

dst port ! 22: exclude packets destined for port 22

src net 192.168.1.0/24: filter source network

-w ./target.cap: write output to a capture file for later analysis (e.g., with Wireshark)

Limit capture count

Stop automatically after capturing 1000 packets.

tcpdump -c 1000

Save to local file

By default, tcpdump buffers output and writes to disk only when the buffer is full or when the program exits.

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

You can add -U to force immediate writing to disk (generally not recommended due to performance impact).

Practical Scenario

Assume a Node.js server listens on port 3000, behind an Nginx reverse proxy on port 80. A client at 183.14.132.117 reports no response.

Browser → Nginx reverse proxy → Node.js server

Steps to troubleshoot:

Verify the request reaches the Node.js server (check logs).

Check if Nginx forwards the request to the Node.js server. tcpdump port 8383 If no output appears, Nginx may be forwarding to the loopback interface, requiring an explicit interface specification. tcpdump port 8383 -i lo Ensure Nginx passes the original Host header; otherwise the Node.js server sees the source host as 127.0.0.1, making the following filter ineffective.

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, verify the request reaches the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117