Mastering tcpdump: Essential Commands for Network Packet Capture and Analysis
This guide explains how to use tcpdump for capturing and filtering network packets on Linux, covering basic usage, interface selection, host and port filters, protocol-specific captures, combined expressions, limiting capture size, saving to files, and a practical troubleshooting scenario with nginx and Node.js.
Introduction
tcpdump is a powerful network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and provides logical operators such as and, or, not to refine output.
Basic Usage
Running
tcpdumpwithout parameters captures packets on the first network interface, which may not be the desired one on multi‑interface hosts.
<code>tcpdump</code>Specify Interface
<code>tcpdump -i en0</code>Capture Traffic for a Specific Host
To monitor traffic between the local machine and a remote host (e.g., 182.254.38.55), use:
<code>tcpdump host 182.254.38.55</code>Both inbound and outbound packets are captured.
Source or Destination Filters
<code>tcpdump src host hostname</code><code>tcpdump dst host hostname</code>Omitting
srcor
dstcaptures packets where either the source or destination matches the hostname.
<code>tcpdump host hostname</code>Port Filtering
<code>tcpdump port 3000</code>Protocol Filtering (TCP/UDP)
To capture only TCP packets:
<code>tcpdump tcp</code>Combined Filters Example
<code>tcpdump tcp port 22 and src host 123.207.116.169</code>Capture Between Two Specific Hosts
<code>tcpdump ip host 210.27.48.1 and 210.27.48.2</code><code>tcpdump ip host 210.27.48.1 and ! 210.27.48.2</code>More Detailed Example
<code>tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap</code>(1) tcp: specify protocol filter; (2) -i eth1: capture on interface eth1; (3) -t: omit timestamps; (4) -s 0: capture full packet length; (5) -c 100: stop after 100 packets; (6) dst port ! 22: exclude destination port 22; (7) src net 192.168.1.0/24: source network; (8) -w ./target.cap: write output to a capture file for later analysis with Wireshark.
Limiting Capture Count
<code>tcpdump -c 1000</code>Saving to Disk
By default, tcpdump buffers output and writes to disk only when the buffer is full or the program exits. To force immediate writing:
<code>tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap</code>Adding
-Uforces unbuffered output, though it may impact performance.
Practical Troubleshooting Scenario
Consider a server running a Node.js application on port 3000 behind an Nginx reverse proxy listening on port 80. If a client (e.g., 183.14.132.117) reports no response, follow these steps:
Verify the request reaches the Node.js server (check logs).
Check whether Nginx forwards the request. Capture traffic on port 8383:
<code>tcpdump port 8383</code>If no output appears, Nginx may be forwarding to
127.0.0.1on a non‑default interface. Capture on the loopback interface:
<code>tcpdump port 8383 -i lo</code>To filter by the client’s IP:
<code>tcpdump port 8383 -i lo and src host 183.14.132.117</code>Finally, confirm the request reaches the server:
<code>tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117</code>Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.