Mastering tcpdump: Practical Commands for Network Packet Capture

Introduction

tcpdump is a network packet capture and analysis tool. It supports filtering by layer, protocol, host, network, or port, and provides logical operators such as and, or, not to discard irrelevant information.

tcpdump - dump traffic on a network

Examples

Run without parameters

Capture packets on the first network interface. If the host has multiple interfaces, you often need to specify one.

tcpdump

Capture on a specific interface

tcpdump -i en0

Capture traffic to/from a specific host

Example: capture packets between the local machine and host 182.254.38.55.

tcpdump host 182.254.38.55

Capture by source or destination address

Source address: tcpdump src host hostname Destination address: tcpdump dst host hostname If neither src nor dst is specified, packets matching either the source or destination hostname are captured.

tcpdump host hostname

Capture by port

tcpdump port 3000

Capture only TCP or UDP

Capture only TCP packets:

tcpdump tcp

Capture TCP from a specific host and port

Capture TCP packets from host 123.207.116.169 on port 22:

tcpdump tcp port 22 and src host 123.207.116.169

Capture communication between two specific hosts

tcpdump ip host 210.27.48.1 and 210.27.48.2

To exclude communication with the second host:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More detailed example

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

tcp: specify protocol types such as ip, icmp, arp, rarp, tcp, udp.

-i eth1: capture on interface eth1.

-t: omit timestamps.

-s 0: capture the full packet (default 68 bytes).

-c 100: stop after 100 packets.

dst port ! 22: exclude packets destined for port 22.

src net 192.168.1.0/24: source network address.

-w ./target.cap: write output to a file for later analysis with Wireshark.

Limit capture count

Stop after capturing 1000 packets:

tcpdump -c 1000

Save to local file

By default tcpdump buffers output; it writes to disk when the buffer is full or when tcpdump exits. To write immediately (though slower), use -U.

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Optional immediate write:

tcpdump -U ...

Practical scenario

Consider a server running a Node.js application on port 3000 behind an Nginx reverse proxy listening on port 80. If a client (183.14.132.117) cannot get a response, you can troubleshoot with tcpdump.

Browser → Nginx reverse proxy → Node.js server

Step 1: Verify the request reaches the Node.js server (check logs).

Step 2: Verify Nginx forwards the request. Capture traffic on port 8383: tcpdump port 8383 If no output appears, specify the loopback interface because Nginx forwards to 127.0.0.1: tcpdump port 8383 -i lo Configure Nginx to pass the original Host header; otherwise the source host appears as 127.0.0.1, making the following filter ineffective:

tcpdump port 8383 -i lo and src host 183.14.132.117

Step 3: Verify the request reaches the server:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117