BestHub
Sign in
Operations 7 min read

Mastering tcpdump: Practical Commands for Network Packet Capture

This guide explains how to use tcpdump for network packet capture, covering basic usage, interface selection, host and port filtering, logical operators, saving captures to files, and real‑world troubleshooting scenarios with clear command examples.

Open Source Linux
Open Source Linux
Open Source Linux
Mastering tcpdump: Practical Commands for Network Packet Capture

tcpdump is a network packet capture and analysis tool that supports filtering by network layer, protocol, host, network, or port, and provides logical operators such as and, or, and not to refine results.

Examples

Capture without specifying parameters

tcpdump

Capture on a specific interface

tcpdump -i en0

Capture traffic between the local host and a specific host

tcpdump host 182.254.38.55

Capture traffic from a specific source host

tcpdump src host hostname

Capture traffic to a specific destination host

tcpdump dst host hostname

Capture traffic for a specific host (source or destination)

tcpdump host hostname

Capture traffic on a specific port

tcpdump port 3000

Capture only TCP packets

tcpdump tcp

Capture TCP packets from a host on a specific port

tcpdump tcp port 22 and src host 123.207.116.169

Capture traffic between two specific hosts, excluding one direction

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

Detailed example with multiple filters

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
(1) tcp, ip, icmp, arp, rarp options filter packet types; (2) -i eth1 captures only on interface eth1; (3) -t omits timestamps; (4) -s 0 captures full packet length; (5) -c 100 limits to 100 packets; (6) dst port ! 22 excludes port 22; (7) src net 192.168.1.0/24 filters source network; (8) -w ./target.cap writes to a capture file for later analysis with Wireshark.

Limiting the number of captured packets

tcpdump -c 1000

Saving captures to a file

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Adding the -U option forces immediate write to disk, though it may impact performance.

Real‑world troubleshooting example

A typical setup has a Node.js server listening on port 3000 behind an Nginx reverse proxy on port 80. If a client (e.g., 183.14.132.117) reports no response, the following steps help diagnose the issue:

Verify the request reaches the Node.js server (check server logs).

Check whether Nginx forwards the request. Use:

Confirm the request reaches the server:

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Linuxtroubleshootingcommand-linePacket CaptureNetwork Monitoringtcpdump
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment