Mastering tcpdump: Essential Commands for Precise Network Packet Capture

Introduction

tcpdump is a network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and provides logical operators and , or , not to exclude irrelevant information.

tcpdump – dump traffic on a network

Examples

Without parameters

Listen on the first network interface for packets. If the host has multiple interfaces, you often need to specify one.

tcpdump

Specify interface

tcpdump -i en0

Specific host

Capture traffic between the local machine and a host (e.g., 182.254.38.55). tcpdump host 182.254.38.55 Both inbound and outbound packets are captured.

Source host

tcpdump src host hostname

Destination host

tcpdump dst host hostname

If neither src nor dst is specified, packets whose source or destination matches hostname are captured.

tcpdump host hostname

Specific port

tcpdump port 3000

TCP only

Capture only TCP packets.

tcpdump tcp

Source host + port + TCP

Capture TCP packets from host 123.207.116.169 on port 22.

tcpdump tcp port 22 and src host 123.207.116.169

Specific hosts communication

Capture traffic between 210.27.48.1 and 210.27.48.2. tcpdump ip host 210.27.48.1 and 210.27.48.2 To capture traffic between 210.27.48.1 and any host except 210.27.48.2:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1) tcp, ip, icmp, arp, rarp etc. are placed as the first argument to filter packet types. (2) -i eth1 : capture only on interface eth1. (3) -t : omit timestamps. (4) -s 0 : capture the full packet length. (5) -c 100 : stop after 100 packets. (6) dst port ! 22 : exclude packets whose destination port is 22. (7) src net 192.168.1.0/24 : capture packets from this source network. (8) -w ./target.cap : write output to a capture file for later analysis with Wireshark.

Limit capture count

Stop automatically after capturing 1000 packets.

tcpdump -c 1000

Save locally

By default tcpdump buffers output; it is written to disk when the buffer is full or when tcpdump exits.

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Adding -U forces immediate write to disk (generally not recommended due to performance impact).

Real‑world troubleshooting example

Assume a Node.js server listens on port 3000, and Nginx reverse‑proxies port 80 to 127.0.0.1:3000. A user (183.14.132.117) reports no response.

Step 1: Verify the request reaches the Node.js server (check logs).

Step 2: Verify Nginx forwards the request. tcpdump port 8383 No output indicates the capture is on the wrong interface; Nginx forwards to 127.0.0.1, which uses the loopback interface. tcpdump port 8383 -i lo Note: Nginx must preserve the original host header; otherwise the source host appears as 127.0.0.1 to the Node.js server, making host‑based filters ineffective.

tcpdump port 8383 -i lo and src host 183.14.132.117

Step 3: Verify the request reaches the server.

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117