What is tcpdump?
tcpdump captures and analyzes network packets in real time. It is the essential tool for debugging network issues, verifying firewall rules, and understanding traffic patterns.
Basic Captures
# Capture on specific interface
sudo tcpdump -i eth0
# Limit to 100 packets
sudo tcpdump -i eth0 -c 100
# Don't resolve hostnames (faster)
sudo tcpdump -i eth0 -nFilter by Protocol and Port
# HTTP traffic only
sudo tcpdump -i eth0 port 80
# HTTPS traffic
sudo tcpdump -i eth0 port 443
# DNS queries
sudo tcpdump -i eth0 port 53
# SSH traffic
sudo tcpdump -i eth0 port 22Filter by Host
# Traffic to/from specific IP
sudo tcpdump -i eth0 host 198.51.100.10
# Traffic from specific source
sudo tcpdump -i eth0 src 198.51.100.10
# Traffic to specific destination
sudo tcpdump -i eth0 dst 198.51.100.10Save to File
# Save capture for later analysis
sudo tcpdump -i eth0 -w capture.pcap
# Read saved capture
tcpdump -r capture.pcap
# Open in Wireshark for GUI analysisUseful Combinations
# HTTP POST requests
sudo tcpdump -i eth0 -A "tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)2)) != 0)" | grep -i POST
# SYN packets (connection attempts)
sudo tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn) != 0"