Mastering tcpdump: Essential Commands for Network Traffic Analysis

Introduction

tcpdump is a network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and offers logical operators such as and, or, and not to exclude irrelevant data.

Basic Examples

Capture packets on the default interface:

<code>tcpdump</code>

Capture on a specific interface (e.g., en0):

<code>tcpdump -i en0</code>

Capture traffic between the local machine and a specific host (e.g., 182.254.38.55):

<code>tcpdump host 182.254.38.55</code>

Capture traffic from a specific source host:

<code>tcpdump src host hostname</code>

Capture traffic to a specific destination host:

<code>tcpdump dst host hostname</code>

Capture traffic involving either source or destination host:

<code>tcpdump host hostname</code>

Capture traffic on a specific port (e.g., 3000):

<code>tcpdump port 3000</code>

Capture only TCP packets:

<code>tcpdump tcp</code>

Capture TCP packets from a source host and port:

<code>tcpdump tcp port 22 and src host 123.207.116.169</code>

Capture traffic between two specific IPs:

<code>tcpdump ip host 210.27.48.1 and 210.27.48.2</code>

Capture traffic between two IPs excluding one of them:

<code>tcpdump ip host 210.27.48.1 and ! 210.27.48.2</code>

Advanced Example

<code>tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap</code>

Explanation of options:

-i eth1 : capture on interface eth1

-t : omit timestamps

-s 0 : capture the full packet

-c 100 : stop after 100 packets

dst port ! 22 : exclude packets destined for port 22

src net 192.168.1.0/24 : filter source network

-w ./target.cap : write output to a capture file

Limiting Capture Size

Stop after capturing 1000 packets:

<code>tcpdump -c 1000</code>

Saving Captures Locally

Write captured packets to a file (default buffering applies):

<code>tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap</code>

Use

-U

to force immediate write (may impact performance):

Practical Scenario

Consider a Node.js server listening on port 3000 behind an Nginx reverse proxy on port 80. If a client (e.g., 183.14.132.117) cannot receive a response, follow these steps:

Verify the request reached the Node.js server (check logs).

Check whether Nginx forwarded the request. Capture traffic on the proxy port:

<code>tcpdump port 8383</code>

If no output appears, specify the loopback interface:

<code>tcpdump port 8383 -i lo</code>

Capture the request on the loopback interface with source host filter: <code>tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117</code>