Why Ops Engineers Still Skip tcpdump? The Command-Line Packet Capture Powerhouse

1. Basic Capture – Lay the Foundation

Typical noisy command (not for production): tcpdump -i eth0 Commonly used with useful options: tcpdump -i eth0 -nn -tttt – numeric output and human‑readable timestamps. tcpdump -i eth0 -nn -s 0 – capture full packet (default 96 bytes may truncate HTTP bodies). tcpdump -i eth0 -nn -c 100 – stop after 100 packets.

2. Filters – The Soul of tcpdump

Port filtering: tcpdump -i eth0 -nn port 80 MySQL port: tcpdump -i eth0 -nn port 3306 Port range: tcpdump -i eth0 -nn portrange 1000-2000 Host filtering: tcpdump -i eth0 -nn host 192.168.1.100 Source only: tcpdump -i eth0 -nn src host 192.168.1.100 Destination only: tcpdump -i eth0 -nn dst host 192.168.1.100 Network filtering: tcpdump -i eth0 -nn net 192.168.1.0/24 Protocol filtering (TCP, UDP, ICMP):

tcpdump -i eth0 -nn tcp

tcpdump -i eth0 -nn udp

tcpdump -i eth0 -nn icmp

Logical combinations:

# AND – both conditions
tcpdump -i eth0 -nn 'host 192.168.1.100 and port 80'

# OR – either condition
tcpdump -i eth0 -nn 'port 80 or port 443'

# NOT – exclude
tcpdump -i eth0 -nn 'port not 22'

# Complex example
tcpdump -i eth0 -nn 'src net 192.168.1.0/24 and (port 80 or port 443)'

3. Save and Read – Long‑Term Capture Essentials

Write to pcap (viewable in Wireshark): tcpdump -i eth0 -nn -w /tmp/capture.pcap Split by size (100 MB each, keep 10 files):

tcpdump -i eth0 -nn -w /tmp/capture.pcap -C 100 -W 10

Split by time (hourly, keep 24 h):

tcpdump -i eth0 -nn -w /tmp/capture.pcap -G 3600 -W 24

Timestamped filenames:

tcpdump -i eth0 -nn -w /tmp/capture_$(date +%Y%m%d_%H%M%S).pcap

Read a file: tcpdump -nn -r /tmp/capture.pcap Read with filter (e.g., MySQL on a specific host):

tcpdump -nn -r /tmp/capture.pcap 'port 3306 and host 10.0.1.50'

4. Inspect Packet Content

-A

– ASCII view (good for HTTP requests/responses). -X – Hex + ASCII (useful for binary protocols). -x – Hex only.

Verbosity levels: -v, -vv, -vvv (show TTL, IP options, checksum, etc.).

5. TCP Flag Filtering – Diagnose Connection Issues

# SYN packets (new connections)
 tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'

# SYN‑ACK packets
 tcpdump -i eth0 -nn 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

# RST packets (connection reset)
 tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-rst != 0'

# FIN packets (normal close)
 tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-fin != 0'

# PSH packets (push data)
 tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-push != 0'

6. Deep HTTP Filtering

Capture only GET requests (hex pattern 0x47455420 = "GET "):

tcpdump -i eth0 -nn -A -s 0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

Capture only POST requests (hex 0x504f5354 = "POST"):

tcpdump -i eth0 -nn -A -s 0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

Capture HTTP responses (hex 0x48545450 = "HTTP"):

tcpdump -i eth0 -nn -A -s 0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)'

Filter specific URL or User‑Agent with grep after capture.

7. Advanced Tricks

Packet size: tcpdump -i eth0 -nn 'greater 1000' (large packets) or 'less 100' (small packets).

TTL filtering: tcpdump -i eth0 -nn 'ip[8] = 64'.

Fragmented packets:

tcpdump -i eth0 -nn 'ip[6:2] & 0x1fff != 0 or ip[6] & 0x20 != 0'

.

TCP options length > 20 bytes: tcpdump -i eth0 -nn 'tcp[12] & 0xf0 > 0x50'.

Retransmission detection (simple ACK frequency):

tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-ack != 0' -tttt | \ awk '{print $1,$2,$5}' | sort | uniq -c | sort -rn | head -20

8. Performance Tuning & Precautions

Increase buffer: tcpdump -i eth0 -nn -B 4096 -w /tmp/capture.pcap (4 MB).

Capture only headers to reduce overhead: tcpdump -i eth0 -nn -s 100 -w /tmp/headers.pcap.

Immediate mode (show packets as they arrive): tcpdump -i eth0 -nn --immediate-mode.

Capture on all interfaces: tcpdump -i any -nn port 80 -w /tmp/all_interfaces.pcap.

Exclude local traffic: tcpdump -i eth0 -nn 'not host 127.0.0.1 and not host ::1'.

Exclude DNS to avoid noise: tcpdump -i eth0 -nn 'port not 53' -w /tmp/no_dns.pcap.

9. Real‑World Cases

Interface timeout investigation – capture traffic to a specific app server and analyse with tshark for RST, retransmission, latency, HTTP status distribution.

SYN flood detection – count SYN packets per second and flag spikes.

tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0' | \ awk '{print strftime("%Y-%m-%d %H:%M:%S", systime()), $3}' | \ awk '{count[$1" "$2]++} END {for (i in count) print i, count[i]}' | sort -k3 -rn

MySQL slow query capture – save to pcap and later analyse in Wireshark.

tcpdump -i eth0 -nn -s 0 -w /tmp/mysql.pcap 'port 3306 and host 10.0.2.100'

Redis GET/SET monitoring:

tcpdump -i eth0 -nn -A -s 0 'port 6379' | grep -E 'GET|SET'

Network loss analysis – capture with timestamps and later filter tcp.analysis.retransmission in Wireshark.

tcpdump -i eth0 -nn -tttt -vvv 'host 192.168.1.100' -w /tmp/loss.pcap

HTTPS handshake timing (cannot decrypt but can measure TLS handshake duration).

tcpdump -i eth0 -nn -s 0 'port 443' -w /tmp/tls_handshake.pcap

Traffic monitoring script – print MB transferred every 100 packets.

tcpdump -i eth0 -nn -tttt -l | \ awk '{bytes+=$NF} NR%100==0 {print systime(), bytes/1024/1024 " MB"; bytes=0}'

Port‑scan detection – count SYN packets per source IP.

tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0' | \ awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

10. Integration with Other Tools

tshark

for richer filters, e.g.,

tshark -i eth0 -nn -Y 'http.request.method == "POST"' -T fields -e frame.time -e ip.src -e http.request.uri

.

Remote capture to local Wireshark via SSH pipe. termshark – terminal UI for live filtering. iftop – real‑time bandwidth view while tcpdump runs.

11. Security & Permissions

tcpdump requires root or CAP_NET_RAW capability: sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump.

When capturing production traffic, consider sanitising payloads or only saving headers ( -s 96).

Encrypt pcap on the fly:

tcpdump -i eth0 -nn -w - port 80 | gzip | openssl enc -aes-256-cbc -salt -out /tmp/capture.pcap.gz.enc

.

12. Debugging tcpdump Itself

Show compiled BPF bytecode: tcpdump -d 'host 192.168.1.1 and port 80'.

Test filter against a saved file: tcpdump -r /tmp/capture.pcap -d 'tcp port 80'.

Version and interface list: tcpdump --version and tcpdump -D.

13. Common Pitfalls & Solutions

Huge pcap files – split with editcap -c 100000 huge.pcap split.pcap.

SSH disconnect – run under screen / tmux or exclude port 22.

High CPU – lower priority with nice -n 19 tcpdump … or tighten filters.

Sampling via IP checksum bits to reduce volume (≈50 %):

tcpdump -i eth0 -nn 'ip[10] & 1 = 1' -w /tmp/sample.pcap

Disk space limit: tcpdump -i eth0 -nn -w /tmp/capture.pcap -C 50 -W 10.

Nanosecond timestamps (newer versions): tcpdump -i eth0 -nn -tttt --time-stamp-precision=nano.

14. Final Principles

Assess impact before capturing in production; high‑traffic can affect performance.

Never use -A or -X directly on production; save to file first.

Always exclude SSH ports or use session managers to avoid accidental disconnects.

Limit file size with -C and -W to prevent disk exhaustion.

Write precise BPF filters to reduce noise.

Mask or encrypt sensitive data to protect privacy.

Use Wireshark for deep analysis; treat tcpdump as a fast‑path diagnostic tool.

Regularly clean old pcap files to keep servers tidy.