Mastering tcpdump: Essential Options, Expressions, and Real‑World Examples

tcpdump is a command‑line utility for capturing network packets on an interface, offering powerful filtering through flexible expressions.

Basic Usage

Running tcpdump without options captures packets on the first non‑loopback interface until the process is terminated. Adding -i <interface> selects a specific interface, and -c <count> limits the number of captured packets.

shell> tcpdump -nn -i eth0 icmp

Key Options

-c <num>

: Capture only <num> packets. -i <interface>: Specify the listening interface (use -i any for all interfaces). -n: Show numeric IP addresses (no DNS lookup). -nn: Show numeric IP addresses and ports. -N: Omit domain part of hostnames. -P: Capture inbound ( in), outbound ( out), or both ( inout) traffic. -s <len>: Set snapshot length; default is 65535 bytes. Smaller values reduce memory usage but may truncate packets. -e: Include link‑layer header (e.g., MAC addresses). -q: Minimal output. -X / -XX: Show packet data in hex and ASCII (more detailed with -XX). -v, -vv, -vvv: Increase verbosity of protocol decoding. -D: List available interfaces. -F <file>: Read filter expression from a file. -w <file>: Write captured packets to a file (optionally with -G <seconds> to rotate files). -r <file>: Read packets from a saved file.

Filter Expressions

Expressions consist of one or more units that may include a protocol modifier, direction, type, and identifier. Units are combined with logical operators and, or, not (or their symbolic equivalents &&, ||, !).

Three main modifiers:

type : Specifies the identifier type, such as host, net, port, or portrange. The default type is host.

dir : Specifies direction – src, dst, src or dst (default).

proto : Limits the protocol, e.g., tcp, udp, icmp, arp, ip, ether.

Example unit: tcp dst port 22 (protocol tcp, direction dst, type port, identifier 22).

Common Expression Examples

tcpdump -D

– list interfaces. tcpdump -c 10 -i eth0 -nn -XX -vvv – capture 10 packets on eth0 with numeric output, full hex/ASCII dump, and maximum verbosity. tcpdump -i eth1 – capture on a specific interface. tcpdump host longshuai – all traffic to or from host longshuai. tcpdump host helios and (hot or ace) – traffic between helios and either hot or ace. tcpdump ip host ace and not helios – IP packets involving ace but excluding those with helios. tcpdump src host hostname – packets whose source is hostname. tcpdump dst host hostname – packets whose destination is hostname. tcpdump tcp port 22 and host hostname – TCP traffic on SSH port to/from hostname. tcpdump udp port 123 – NTP traffic. tcpdump -c 10 net 192.168 – first 10 packets on the 192.168 network. tcpdump 'gateway snup and (port ftp or ftp-data)' – FTP traffic passing through gateway snup (note the single quotes to protect parentheses from the shell). tcpdump -c 5 -nn -i eth0 icmp – capture five ICMP packets with numeric output. tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62 – capture ICMP packets from a specific source. tcpdump -c 10 -nn -i eth0 tcp dst port 22 – capture SSH traffic on port 22. tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22 – capture two SSH packets with quiet output, full hex/ASCII dump, and maximum verbosity.

Practical Tips

Use -nn to avoid DNS lookups that can slow down capture.

Keep snapshot length ( -s) as small as possible while still capturing needed data to reduce packet loss.

Combine logical operators to build complex filters; remember to quote the entire expression to prevent shell interpretation.

When capturing on a busy interface, consider writing to a file with -w and analyzing later with -r.

For protocols that do not support certain qualifiers (e.g., icmp src), use appropriate syntax such as icmp and src host <IP>.

In summary, mastering a handful of tcpdump options ( -nn, -XX, -vvv, -i, -c, -q) and constructing precise filter expressions enables efficient packet capture and analysis for debugging, security monitoring, and performance troubleshooting.