Mastering tcpdump: Practical Commands for Network Packet Capture and Analysis

Introduction

tcpdump is a powerful network packet capture and analysis tool that can filter traffic by network layer, protocol, host, network, or port. Logical operators and, or, and not help exclude irrelevant packets.

Basic Commands

No parameters – captures traffic on the default interface: tcpdump Capture on a specific interface (e.g., en0 ): tcpdump -i en0 Capture traffic to or from a specific host: tcpdump host 182.254.38.55 Capture only source or destination host:

tcpdump src host hostname

tcpdump dst host hostname

Capture traffic involving a particular port: tcpdump port 3000 Capture only TCP packets (similarly for UDP or ICMP):

tcpdump tcp

Combined Filters

Example: capture TCP packets from host 123.207.116.169 on port 22:

tcpdump tcp port 22 and src host 123.207.116.169

Example: capture traffic between two hosts, excluding one of them:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

Detailed Example with Multiple Options

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

Explanation of options:

(1) Protocol filter (tcp, udp, icmp, etc.) placed first.

(2) -i eth1 – capture only on interface eth1.

(3) -t – omit timestamps.

(4) -s 0 – capture the full packet (default is 68 bytes).

(5) -c 100 – stop after 100 packets.

(6) dst port ! 22 – exclude packets destined for port 22.

(7) src net 192.168.1.0/24 – limit source network.

(8) -w ./target.cap – write output to a capture file for later analysis with Wireshark.

Limiting Capture Size and Saving

Capture a fixed number of packets and exit: tcpdump -c 1000 Save captured packets to a file (default buffering writes only when the buffer fills or the program exits):

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Adding -U forces immediate write to disk, though it may reduce performance.

Real‑World Troubleshooting Scenario

A Node.js server listens on port 3000, behind an Nginx reverse proxy on port 80. A client at 183.14.132.117 reports no response. Steps using tcpdump:

Verify the request reaches the Node.js process (check application logs).

Check whether Nginx forwards the request. Capture traffic on the proxy port: tcpdump port 8383 If no output appears, the traffic is likely on the loopback interface. Capture on lo: tcpdump port 8383 -i lo To filter the specific client IP, include the source host filter:

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, capture the full TCP packet on the loopback interface:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117