tcpdump is a command-line packet analyzer that captures and displays network traffic in real time. It is invaluable for debugging connectivity issues, analyzing protocols, and investigating security incidents.
Basic Capture
# Capture all traffic on eth0
sudo tcpdump -i eth0
# Capture with human-readable timestamps
sudo tcpdump -i eth0 -tttt
# Capture and save to a file (for later analysis in Wireshark)
sudo tcpdump -i eth0 -w /tmp/capture.pcap
# Read a capture file
sudo tcpdump -r /tmp/capture.pcapFiltering Traffic
# Filter by host
sudo tcpdump -i eth0 host 192.168.1.100
# Filter by port
sudo tcpdump -i eth0 port 80
sudo tcpdump -i eth0 port 443
# Filter by protocol
sudo tcpdump -i eth0 tcp
sudo tcpdump -i eth0 udp
sudo tcpdump -i eth0 icmp
# Filter by source or destination
sudo tcpdump -i eth0 src 192.168.1.100
sudo tcpdump -i eth0 dst port 3306
# Combine filters with and/or/not
sudo tcpdump -i eth0 host 192.168.1.100 and port 80
sudo tcpdump -i eth0 port 80 or port 443
sudo tcpdump -i eth0 not port 22Useful Options
# Show packet contents in ASCII
sudo tcpdump -i eth0 -A port 80
# Show packet contents in hex and ASCII
sudo tcpdump -i eth0 -X port 80
# Limit capture to N packets
sudo tcpdump -i eth0 -c 100 port 80
# Do not resolve hostnames (faster)
sudo tcpdump -i eth0 -n port 80
# Verbose output
sudo tcpdump -i eth0 -v port 443
# Capture only the first N bytes of each packet
sudo tcpdump -i eth0 -s 128 port 80Practical Examples
# Debug HTTP requests (see headers)
sudo tcpdump -i eth0 -A -s 0 port 80 | grep -E "GET|POST|Host:|HTTP/"
# Monitor DNS queries
sudo tcpdump -i eth0 -n port 53
# Watch TCP handshakes
sudo tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
# Find SYN flood attacks
sudo tcpdump -i eth0 "tcp[tcpflags] == tcp-syn" -c 1000
# Monitor traffic to a specific server
sudo tcpdump -i eth0 dst host 10.0.0.5 and port 3306
# Capture only large packets (potential data exfiltration)
sudo tcpdump -i eth0 greater 1000Security Considerations
- tcpdump can capture passwords in plaintext (HTTP, FTP, Telnet)
- Limit captures to specific ports and hosts to avoid capturing sensitive data
- Store capture files securely and delete when no longer needed
- Use on production only when necessary — it adds CPU overhead