Mastering TCPDump: Essential Commands and Real‑World Examples for Network Analysis

Overview

tcpdump is a command‑line packet capture utility for UNIX‑like systems. It intercepts network packets on a specified interface, prints a concise summary to stdout, and can write raw packets to a file for later analysis. Because it operates at the kernel level, root privileges (or the appropriate capabilities) are required.

Capture principle

Linux registers a virtual network protocol that receives a copy of every frame processed by the NIC. When the NIC receives a packet, the kernel delivers it to all registered protocols, including the packet‑capture module used by tcpdump. This module copies the packet and passes it to tcpdump without affecting normal traffic processing.

Key options

-i <interface>

– select the network interface (e.g., ens33). -c <count> – stop after capturing the given number of packets. -w <file> – write captured packets to a file in libpcap format. -r <file> – read packets from a previously saved file. -s <size> – set snapshot length; 0 captures the full packet. -p – do not put the interface into promiscuous mode. -t – omit timestamps in the output. -x – display packet data in hexadecimal. -n – do not resolve hostnames. -v, -vv – increase verbosity.

Installation

Most Linux distributions ship tcpdump by default. If it is missing, install it with the system package manager:

yum install -y tcpdump      # RHEL/CentOS

apt-get install -y tcpdump # Debian/Ubuntu

Verify the installation:

tcpdump --help

Command syntax

The generic form is: tcpdump [options] [expression] Expressions are BPF (Berkeley Packet Filter) statements that filter traffic by protocol, host, network, port, etc.

Common usage examples

Show available interfaces: ifconfig or ip link show.

Capture on a specific NIC: tcpdump -i ens33.

Capture traffic for a single host: tcpdump host 192.168.1.5.

Capture traffic between two hosts: tcpdump host 192.168.1.5 and (192.168.1.10 or 192.168.1.13).

Exclude a host: tcpdump not host 192.168.1.5.

Capture all traffic except SSH (port 22) and limit to five packets, saving to a file:

tcpdump -i ens33 -s 0 -c 5 and dst port !22 and src net 192.168.1.10/24 -w ./targetfile.cap

Capture only TCP packets on port 80: tcpdump tcp port 80.

Capture UDP packets on a custom port: tcpdump udp port 9999.

Capture traffic to or from a domain name (e.g., baidu.com):

tcpdump host baidu.com

Saving to a file and analyzing with Wireshark

Use the -w option to write raw packets to a .cap file, then open the file in Wireshark for full protocol decoding:

tcpdump -i ens33 -s 0 -c 5 and dst port !22 and src net 192.168.1.10/24 -w ./targetfile.cap

Key flags used: -i ens33 – capture on interface ens33. -s 0 – capture the entire packet. -c 5 – stop after five packets. dst port !22 – exclude SSH traffic. src net 192.168.1.10/24 – filter source network. -w ./targetfile.cap – write to a capture file.

Security considerations

To capture packets not addressed to the host, the NIC must be placed in promiscuous mode, which bypasses the normal TCP/IP stack. On some systems (e.g., FreeBSD) this requires the bpfilter pseudo‑device; disabling it prevents tools like tcpdump from working. When promiscuous mode is enabled, the kernel typically logs a notice so administrators can detect potential misuse.

Conclusion

tcpdump provides a lightweight, powerful way to capture and filter network traffic on Linux. By combining on‑the‑fly filtering with the ability to save raw packets for deeper analysis in Wireshark, administrators and security analysts can quickly diagnose network problems, verify protocol behavior, and investigate suspicious traffic.