Mastering tcpdump: A Complete Guide to Command‑Line Packet Capture
This article provides a thorough walkthrough of tcpdump, covering installation on Ubuntu, essential command‑line options, practical filtering techniques, logical expressions, examples for saving and reading capture files, and how to combine tcpdump with Wireshark for deeper packet analysis.
Overview
tcpdump is a command‑line utility that captures network traffic and prints packet headers. It is built on the libpcap library and requires root privileges.
Installation
Example environment: Ubuntu 12.04 (or similar Linux distribution). sudo apt-get install tcpdump Check the installed version: tcpdump --version Typical output shows tcpdump version 4.0 and libpcap version 1.1.1 .
Common Options
-A– display each packet’s payload in ASCII (link‑layer header omitted). -c <em>count</em> – stop after receiving count packets. -C <em>file‑size</em> – rotate output files when they exceed file‑size megabytes. -d – print a human‑readable packet‑matching code and exit. -dd – print the matching code in C syntax. -ddd – print the matching code as a decimal number. -D – list all interfaces that tcpdump can capture on. -e – include the link‑layer header in each line of output. -E <em>spi@ipaddr algo:secret,…</em> – decrypt IPsec ESP packets. -f – display foreign IPv4 addresses numerically. -F <em>file</em> – read filter expression from file . -i <em>interface</em> – capture on the specified interface (default is the first, usually eth0). -l – line‑buffered output (useful with tee). -n – do not resolve hostnames or port names. -p – do not put the interface into promiscuous mode. -q – quiet output, minimal protocol info. -r <em>file</em> – read packets from file . -S – print absolute TCP sequence numbers. -s <em>snaplen</em> – set the snapshot length (default 68 bytes). -t – omit timestamps. -tttt – print full date‑time stamps. -v, -vv, -vvv – increasingly verbose output. -w <em>file</em> – write raw packets to file . -X – print packet data in both hex and ASCII. -XX – like -X but also include the link‑layer header. -Z <em>user</em> – drop root privileges after opening the capture.
Command Examples
Capture all traffic on the default interface: tcpdump Capture a specific number of packets: tcpdump -c 2 Write captured packets to a file: tcpdump -c 10 -w tcpdump_test.log The resulting .log file is binary and can be opened with Wireshark.
Read a saved capture file: tcpdump -r tcpdump_test.log List all capture‑capable interfaces: tcpdump -D Typical output shows eth0 as interface 0.
Capture on a specific interface: tcpdump -i eth0 If -i is omitted, tcpdump uses the first interface (usually eth0).
Show more detailed packet information: tcpdump -v or tcpdump -vv Disable name resolution: tcpdump -n Print timestamps with full date:
tcpdump -ttttConditional Filtering
Protocol filter (capture only the specified protocol):
tcpdump udp tcpdump icmp tcpdump tcp tcpdump arpPort filter:
tcpdump tcp port 80 tcpdump tcp portrange 1-1024Source/Destination filter:
tcpdump src port 8080 tcpdump dst port 80Host filter (captures traffic to or from a host): tcpdump host 192.168.1.113 Packet‑size filter: tcpdump greater 1000 captures packets larger than 1000 bytes. tcpdump less 10 captures packets smaller than 10 bytes.
Logical Expressions
Combine filters with AND, OR, NOT, and parentheses.
tcpdump tcp and host 192.168.1.112 tcpdump tcp and src 192.168.1.112 and port 8080 tcpdump host 192.168.1.112 or 192.168.1.113 tcpdump not tcp port 22 and host 192.168.1.112 or 192.168.1.113When parentheses are needed, quote the whole expression:
tcpdump "not tcp port 22 and host (192.168.1.112 or 192.168.1.113)"Additional Examples
Capture all traffic to or from host sundown: tcpdump host sundown Capture traffic between 210.27.48.1 and either 210.27.48.2 or 210.27.48.3:
tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)Capture everything from 210.27.48.1 except traffic to 210.27.48.2: tcpdump ip host 210.27.48.1 and ! 210.27.48.2 Monitor packets destined for a hostname on eth0: tcpdump -i eth0 dst host hostname Capture telnet packets (port 23) from a specific host: tcpdump tcp port 23 and host 210.27.48.1 Monitor the local NTP port (123) on UDP: tcpdump udp port 123 Capture HTTP GET/POST packets using a hex filter:
tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854where 0x4745 corresponds to “GE” and 0x4854 to “HT”.
Viewing Full Packet Content
By default only headers are shown. Use -A for ASCII payload or -X for hex + ASCII.
tcpdump -c 1 -A tcpdump -c 1 -Xtcpdump and Wireshark
tcpdump can produce capture files that Wireshark reads. A typical workflow is to capture on Linux with tcpdump, then open the file in Wireshark on Windows for detailed analysis.
Example command that captures 100 packets on eth1, excludes SSH, filters by destination port, source network, and writes to a Wireshark‑compatible file:
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.capSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Niuke
Focused on IT technology sharing, original and innovative content. IT Niuke, we grow together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
