Mastering tcpdump: Essential Commands and Real‑World Examples for Network Analysis

tcpdump (and its graphical counterpart Wireshark) capture network traffic using the libpcap library. To capture all frames on an interface the tool must be run in promiscuous mode, which typically requires super‑user privileges.

Common tcpdump Options

-A : Print each packet in ASCII, omitting link‑layer headers. -c <num> : Stop after capturing the specified number of packets. -C <size> : Rotate output files when they exceed <size> megabytes (1 000 000 bytes). -d , -dd , -ddd : Show compiled BPF filter code in assembly, C, or decimal format. -D : List all capture‑capable interfaces. -e : Include link‑layer header information in the output. -E <spi@ipaddr algo:secret> : Decrypt IPsec ESP packets. -f : Print foreign IP addresses numerically. -F <file> : Read filter expressions from <file> . -i <iface> : Specify the interface to listen on. -l : Make standard output line‑buffered (useful for piping). -L : List known data‑link types for the selected interface. -n / -N : Disable name resolution for addresses and hostnames. -t , -tt , -ttt , -tttt : Control timestamp format (none, raw, delta, or human‑readable). -O : Disable BPF code optimization. -P : Capture without putting the interface into promiscuous mode. -q : Produce a concise output with minimal protocol details. -r <file> : Read packets from a previously saved capture file. -S : Print TCP sequence numbers as absolute values. -s <snaplen> : Capture only the first <snaplen> bytes of each packet. -T <type> : Force interpretation of packets as a specific protocol (e.g., rpc , snmp ). -u , -v , -vv , -vvv : Increase verbosity level. -w <file> : Write captured packets to <file> instead of printing. -x , -xx , -X , -XX : Display packet contents in hexadecimal (with or without link‑layer headers) and optionally ASCII. -y <type> : Set the data‑link type for capture. -Z <user> : Drop root privileges after opening the capture device.

Practical tcpdump Examples

Capture all traffic and display it in hex: tcpdump Capture all traffic and save to result.cap : tcpdump -w result.cap Capture on interface eth0 and save: tcpdump -i eth0 -w result.cap Capture packets whose source IP is 192.168.1.100 : tcpdump src host 192.168.1.100 -w result.cap Capture packets where either source or destination is 192.168.1.100 : tcpdump host 192.168.1.100 -w result.cap Capture packets destined for 192.168.1.100 : tcpdump dst host 192.168.1.100 -w result.cap Verbose capture on eth0 for a specific host: tcpdump -i eth0 -vnn host 192.168.1.100 Capture an entire /24 subnet on eth0 : tcpdump -i eth0 -vnn net 192.168.1.0/24 Capture SSH traffic (port 22) on eth0 : tcpdump -i eth0 -vnn port 22 Capture only UDP packets on eth0 : tcpdump udp -i eth0 -vnn Capture packets from source IP 192.168.1.100 : tcpdump -i eth0 -vnn src host 192.168.1.100 Capture packets to destination IP 192.168.1.100 : tcpdump -i eth0 -vnn dst host 192.168.1.100 Capture packets from source port 22: tcpdump -i eth0 -vnn src port 22 Capture packets from 192.168.1.100 to destination port 22:

tcpdump -i eth0 -vnn src host 192.168.1.100 and dst port 22

Capture packets from 192.168.1.100 or any packet on port 22:

tcpdump -i eth0 -vnn src host 192.168.1.100 or port 22

Capture packets from 192.168.1.100 but exclude port 22:

tcpdump -i eth0 -vnn src host 192.168.1.100 and not port 22

Complex filter combining two host/port pairs:

tcpdump -i eth0 -vnn (src host 192.168.1.100 and dst port 22) or (src host 192.168.1.102 and dst port 80)

Capture 100 packets then stop, saving to /tmp/result : tcpdump -i eth0 -vnn -w /tmp/result -c 100 Read a capture file and display TCP payloads: tcpdump -r /tmp/result -vnn tcp Capture all traffic to or from host 192.168.1.100 : tcpdump host 192.168.1.100 Capture traffic from 192.168.1.100 except to 192.168.1.101 :

tcpdump ip host 192.168.1.100 and not 192.168.1.101

Capture Telnet (port 23) traffic for a host: tcpdump tcp port 23 host 192.168.1.100 Show HTTP request headers (first 1024 bytes) for a specific host: tcpdump -s 1024 -l -A -n host 192.168.9.56 Capture HTTP traffic on port 80 (requires sudo for raw socket access):

sudo tcpdump -i eth0 -s 1492 dst port 80

Additional Network Utilities

nmap – network discovery and port scanning:

nmap -sP 192.168.0.0/24   # ping sweep of a /24 network
nmap -O www.example.com   # OS detection

netstat – display open sockets and listening services:

netstat -a
netstat -nlp

nc (netcat) – probe open ports:

nc -z -v -n 172.31.100.7 21-25   # scan ports 21‑25
nc -v 172.31.100.7 21          # connect to port 21

route – show the kernel routing table: route uptime – display system uptime and load average: uptime iftop – real‑time bandwidth monitor for an interface:

iftop -i eth1          # monitor eth1
iftop -B               # display bytes instead of bits
iftop -n               # no DNS resolution
iftop -N               # show port numbers only
iftop -F 192.168.1.0/24

nload – visual traffic monitor per interface:

nload -n eth0   # monitor eth0
nload -h        # list all interfaces

iptraf – detailed traffic analysis with filtering capabilities: iptraf ifconfig – configure network interfaces (up/down, assign IPs):

ifconfig eth0 up
ifconfig eth0 192.168.1.10
ifconfig eth0:1 192.168.1.11

ethtool – query and control Ethernet driver settings:

ethtool -i eth0   # driver info
ethtool -S eth0   # statistics
ethtool speed 1000

iwconfig – view and modify Wi‑Fi interface parameters:

iwconfig               # current wireless settings
iwconfig wlan0 essid MyNetwork

curl – retrieve HTTP headers or content: curl -s http://example.com | grep "Server:" Note: tcpdump and related tools can only capture frames that reach the local network adapter; traffic that never arrives at the host is invisible to these utilities.