Operations 24 min read

Mastering tcpdump: A Complete Guide to Command‑Line Packet Capture

This article provides a thorough walkthrough of tcpdump, covering installation on Ubuntu, essential command‑line options, practical filtering techniques, logical expressions, examples for saving and reading capture files, and how to combine tcpdump with Wireshark for deeper packet analysis.

IT Niuke
IT Niuke
IT Niuke
Mastering tcpdump: A Complete Guide to Command‑Line Packet Capture

Overview

tcpdump is a command‑line utility that captures network traffic and prints packet headers. It is built on the libpcap library and requires root privileges.

Installation

Example environment: Ubuntu 12.04 (or similar Linux distribution). sudo apt-get install tcpdump Check the installed version: tcpdump --version Typical output shows tcpdump version 4.0 and libpcap version 1.1.1 .

Common Options

-A

– display each packet’s payload in ASCII (link‑layer header omitted). -c <em>count</em> – stop after receiving count packets. -C <em>file‑size</em> – rotate output files when they exceed file‑size megabytes. -d – print a human‑readable packet‑matching code and exit. -dd – print the matching code in C syntax. -ddd – print the matching code as a decimal number. -D – list all interfaces that tcpdump can capture on. -e – include the link‑layer header in each line of output. -E <em>spi@ipaddr algo:secret,…</em> – decrypt IPsec ESP packets. -f – display foreign IPv4 addresses numerically. -F <em>file</em> – read filter expression from file . -i <em>interface</em> – capture on the specified interface (default is the first, usually eth0). -l – line‑buffered output (useful with tee). -n – do not resolve hostnames or port names. -p – do not put the interface into promiscuous mode. -q – quiet output, minimal protocol info. -r <em>file</em> – read packets from file . -S – print absolute TCP sequence numbers. -s <em>snaplen</em> – set the snapshot length (default 68 bytes). -t – omit timestamps. -tttt – print full date‑time stamps. -v, -vv, -vvv – increasingly verbose output. -w <em>file</em> – write raw packets to file . -X – print packet data in both hex and ASCII. -XX – like -X but also include the link‑layer header. -Z <em>user</em> – drop root privileges after opening the capture.

Command Examples

Capture all traffic on the default interface: tcpdump Capture a specific number of packets: tcpdump -c 2 Write captured packets to a file: tcpdump -c 10 -w tcpdump_test.log The resulting .log file is binary and can be opened with Wireshark.

Read a saved capture file: tcpdump -r tcpdump_test.log List all capture‑capable interfaces: tcpdump -D Typical output shows eth0 as interface 0.

Capture on a specific interface: tcpdump -i eth0 If -i is omitted, tcpdump uses the first interface (usually eth0).

Show more detailed packet information: tcpdump -v or tcpdump -vv Disable name resolution: tcpdump -n Print timestamps with full date:

tcpdump -tttt

Conditional Filtering

Protocol filter (capture only the specified protocol):

tcpdump udp
tcpdump icmp
tcpdump tcp
tcpdump arp

Port filter:

tcpdump tcp port 80
tcpdump tcp portrange 1-1024

Source/Destination filter:

tcpdump src port 8080
tcpdump dst port 80

Host filter (captures traffic to or from a host): tcpdump host 192.168.1.113 Packet‑size filter: tcpdump greater 1000 captures packets larger than 1000 bytes. tcpdump less 10 captures packets smaller than 10 bytes.

Logical Expressions

Combine filters with AND, OR, NOT, and parentheses.

tcpdump tcp and host 192.168.1.112
tcpdump tcp and src 192.168.1.112 and port 8080
tcpdump host 192.168.1.112 or 192.168.1.113
tcpdump not tcp port 22 and host 192.168.1.112 or 192.168.1.113

When parentheses are needed, quote the whole expression:

tcpdump "not tcp port 22 and host (192.168.1.112 or 192.168.1.113)"

Additional Examples

Capture all traffic to or from host sundown: tcpdump host sundown Capture traffic between 210.27.48.1 and either 210.27.48.2 or 210.27.48.3:

tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

Capture everything from 210.27.48.1 except traffic to 210.27.48.2: tcpdump ip host 210.27.48.1 and ! 210.27.48.2 Monitor packets destined for a hostname on eth0: tcpdump -i eth0 dst host hostname Capture telnet packets (port 23) from a specific host: tcpdump tcp port 23 and host 210.27.48.1 Monitor the local NTP port (123) on UDP: tcpdump udp port 123 Capture HTTP GET/POST packets using a hex filter:

tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

where 0x4745 corresponds to “GE” and 0x4854 to “HT”.

Viewing Full Packet Content

By default only headers are shown. Use -A for ASCII payload or -X for hex + ASCII.

tcpdump -c 1 -A
tcpdump -c 1 -X

tcpdump and Wireshark

tcpdump can produce capture files that Wireshark reads. A typical workflow is to capture on Linux with tcpdump, then open the file in Wireshark on Windows for detailed analysis.

Example command that captures 100 packets on eth1, excludes SSH, filters by destination port, source network, and writes to a Wireshark‑compatible file:

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxcommand-linepacket capturenetwork monitoringlibpcaptcpdump
IT Niuke
Written by

IT Niuke

Focused on IT technology sharing, original and innovative content. IT Niuke, we grow together.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.