Mastering tcpdump: Essential Commands for Network Packet Capture and Analysis

Introduction

tcpdump is a powerful network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and provides logical operators such as and, or, not to refine output.

Basic Usage

Running tcpdump without parameters captures packets on the first network interface, which may not be the desired one on multi‑interface hosts.

tcpdump

Specify Interface

tcpdump -i en0

Capture Traffic for a Specific Host

To monitor traffic between the local machine and a remote host (e.g., 182.254.38.55), use:

tcpdump host 182.254.38.55

Both inbound and outbound packets are captured.

Source or Destination Filters

tcpdump src host hostname

tcpdump dst host hostname

Omitting src or dst captures packets where either the source or destination matches the hostname.

tcpdump host hostname

Port Filtering

tcpdump port 3000

Protocol Filtering (TCP/UDP)

To capture only TCP packets:

tcpdump tcp

Combined Filters Example

tcpdump tcp port 22 and src host 123.207.116.169

Capture Between Two Specific Hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More Detailed Example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1) tcp: specify protocol filter; (2) -i eth1: capture on interface eth1; (3) -t: omit timestamps; (4) -s 0: capture full packet length; (5) -c 100: stop after 100 packets; (6) dst port ! 22: exclude destination port 22; (7) src net 192.168.1.0/24: source network; (8) -w ./target.cap: write output to a capture file for later analysis with Wireshark.

Limiting Capture Count

tcpdump -c 1000

Saving to Disk

By default, tcpdump buffers output and writes to disk only when the buffer is full or the program exits. To force immediate writing:

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Adding -U forces unbuffered output, though it may impact performance.

Practical Troubleshooting Scenario

Consider a server running a Node.js application on port 3000 behind an Nginx reverse proxy listening on port 80. If a client (e.g., 183.14.132.117) reports no response, follow these steps:

Verify the request reaches the Node.js server (check logs).

Check whether Nginx forwards the request. Capture traffic on port 8383: tcpdump port 8383 If no output appears, Nginx may be forwarding to 127.0.0.1 on a non‑default interface. Capture on the loopback interface: tcpdump port 8383 -i lo To filter by the client’s IP:

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, confirm the request reaches the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117