Mastering tcpdump: Practical Commands for Network Packet Capture

Introduction

tcpdump is a network packet capture and analysis tool. It supports filtering by network layer, protocol, host, network or port, and provides logical operators such as and, or, not to discard irrelevant information.

tcpdump - dump traffic on a network

Examples

Run without parameters

Capture packets on the first network interface. If a host has multiple interfaces, you often need to specify one.

tcpdump

Capture on a specific interface

tcpdump -i en0

Capture traffic to/from a specific host

Example: capture communication between the local machine and host 182.254.38.55.

tcpdump host 182.254.38.55

Capture by source or destination address

Specific source: tcpdump src host hostname Specific destination: tcpdump dst host hostname If neither src nor dst is specified, packets with the given hostname as either source or destination are captured.

tcpdump host hostname

Capture by port

tcpdump port 3000

Capture only TCP or UDP

Capture only TCP packets:

tcpdump tcp

Capture TCP packets from a specific host and port

Capture TCP packets from host 123.207.116.169 on port 22.

tcpdump tcp port 22 and src host 123.207.116.169

Capture traffic between two specific hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

To capture traffic between 210.27.48.1 and all hosts except 210.27.48.2:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1) tcp: protocol filters such as ip, icmp, arp, rarp, tcp, udp, icmp must appear first.

(2) -i eth1: capture on interface eth1.

(3) -t: omit timestamps.

(4) -s 0: capture the full packet length (default is 68 bytes).

(5) -c 100: capture only 100 packets.

(6) dst port ! 22: exclude packets whose destination port is 22.

(7) src net 192.168.1.0/24: source network address filter.

(8) -w ./target.cap: write output to a capture file for later analysis with Wireshark.

Limit capture count

Stop after capturing 1000 packets:

tcpdump -c 1000

Save to local file

tcpdump buffers output and writes to disk when the buffer is full or when it exits. To write immediately, use -U (not recommended for performance).

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Optional immediate write:

-U

Practical Scenario

Assume a Node.js server listening on port 3000 behind an Nginx reverse proxy on port 80. A client at 183.14.132.117 reports no response.

Browser → Nginx reverse proxy → Node.js server

Steps to troubleshoot:

Check if the request reached the Node.js server (e.g., via logs).

Verify Nginx forwarded the request. Capture traffic on port 8383: tcpdump port 8383 If no output appears, Nginx may be using the loopback interface, so specify it: tcpdump port 8383 -i lo Configure Nginx to preserve the original Host header; otherwise the source host appears as 127.0.0.1 to the Node.js server, making the following filter ineffective:

tcpdump port 8383 -i lo and src host 183.14.132.117

Confirm the request reached the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117