# tcpdump — Analyze Network Traffic from the Command Line

> Practical guide to tcpdump — the classic CLI packet analyzer: capture network traffic, apply BPF filters and debug protocols.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/tcpdump/

<!-- PROSE:intro -->
tcpdump is the classic command-line packet analyzer: BPF filters let you narrow a capture to exactly the traffic you care about – a single host, a specific port, or a particular TCP flag state. Whether you are diagnosing a network issue, debugging a protocol, or investigating suspicious traffic, tcpdump delivers the raw data straight from the kernel, no GUI required.
<!-- PROSE:intro:end -->

## Basic Capture

`tcpdump` — Capture all packets on the default interface. Requires root.

```bash
sudo tcpdump
```

`tcpdump -i INTERFACE` — Capture on a specific interface.

```bash
sudo tcpdump -i eth0
```

`tcpdump -i any` — Capture on all interfaces simultaneously.

```bash
sudo tcpdump -i any
```

`tcpdump -c COUNT` — Capture a specific number of packets and stop.

```bash
sudo tcpdump -c 100
```

`tcpdump -D` — List all available network interfaces for capturing.

```bash
tcpdump -D
```

## Output Options

`tcpdump -n` — Numeric output — do not resolve hostnames.

```bash
sudo tcpdump -n
```

`tcpdump -nn` — Do not resolve hostnames or port names.

```bash
sudo tcpdump -nn
```

`tcpdump -v` — Verbose output — show TTL, identification, total length, IP options.

```bash
sudo tcpdump -v
```

`tcpdump -vv` — More verbose — additional protocol-level details.

```bash
sudo tcpdump -vv
```

`tcpdump -vvv` — Maximum verbosity.

```bash
sudo tcpdump -vvv
```

`tcpdump -q` — Quiet output — print less protocol information per line.

```bash
sudo tcpdump -q
```

`tcpdump -e` — Show link-layer (Ethernet) header information (MAC addresses).

```bash
sudo tcpdump -e
```

`tcpdump -t` — Do not print timestamps.

```bash
sudo tcpdump -t
```

`tcpdump -tt` — Print UNIX epoch timestamps.

```bash
sudo tcpdump -tt
```

`tcpdump -ttt` — Print time delta between packets.

```bash
sudo tcpdump -ttt
```

`tcpdump -tttt` — Print human-readable date and time.

```bash
sudo tcpdump -tttt
```

## Packet Content Display

`tcpdump -X` — Print packet data in hex and ASCII.

```bash
sudo tcpdump -X -c 5
```

`tcpdump -XX` — Print packet data in hex and ASCII, including the link-layer header.

```bash
sudo tcpdump -XX -c 5
```

`tcpdump -A` — Print packet data in ASCII only. Useful for reading HTTP traffic.

```bash
sudo tcpdump -A port 80
```

`tcpdump -s SIZE` — Set the capture snapshot length in bytes (default: 262144). Use 0 for full packets.

```bash
sudo tcpdump -s 0
```

`tcpdump -s 96` — Capture only headers (96 bytes). Saves space for large captures.

```bash
sudo tcpdump -s 96
```

## File Operations

`tcpdump -w FILE` — Write captured packets to a pcap file.

```bash
sudo tcpdump -w capture.pcap
```

`tcpdump -r FILE` — Read and display packets from a pcap file.

```bash
tcpdump -r capture.pcap
```

`tcpdump -r FILE -nn` — Read a pcap file with numeric output.

```bash
tcpdump -r capture.pcap -nn
```

`tcpdump -w FILE -C SIZE_MB` — Rotate capture files after SIZE megabytes.

```bash
sudo tcpdump -w capture.pcap -C 100
```

`tcpdump -w FILE -W COUNT -C SIZE_MB` — Rotate through COUNT files, each up to SIZE MB (ring buffer).

```bash
sudo tcpdump -w capture.pcap -W 5 -C 100
```

`tcpdump -w FILE -G SECONDS` — Rotate capture files every SECONDS. Use strftime format in filename.

```bash
sudo tcpdump -w capture_%Y%m%d_%H%M%S.pcap -G 3600
```

## BPF Filters — Host & Network

`tcpdump host HOST` — Capture traffic to or from a specific host.

```bash
sudo tcpdump host 192.168.1.1
```

`tcpdump src host HOST` — Capture traffic from a specific source.

```bash
sudo tcpdump src host 192.168.1.100
```

`tcpdump dst host HOST` — Capture traffic to a specific destination.

```bash
sudo tcpdump dst host 8.8.8.8
```

`tcpdump net NETWORK/CIDR` — Capture traffic to or from a network.

```bash
sudo tcpdump net 192.168.1.0/24
```

`tcpdump src net NETWORK/CIDR` — Capture traffic from a network.

```bash
sudo tcpdump src net 10.0.0.0/8
```

## BPF Filters — Port & Protocol

`tcpdump port PORT` — Capture traffic on a specific port (TCP and UDP).

```bash
sudo tcpdump port 80
```

`tcpdump src port PORT` — Capture traffic from a specific source port.

```bash
sudo tcpdump src port 443
```

`tcpdump dst port PORT` — Capture traffic to a specific destination port.

```bash
sudo tcpdump dst port 22
```

`tcpdump portrange START-END` — Capture traffic on a range of ports.

```bash
sudo tcpdump portrange 8000-9000
```

`tcpdump tcp` — Capture TCP traffic only.

```bash
sudo tcpdump tcp
```

`tcpdump udp` — Capture UDP traffic only.

```bash
sudo tcpdump udp
```

`tcpdump icmp` — Capture ICMP traffic only.

```bash
sudo tcpdump icmp
```

`tcpdump arp` — Capture ARP traffic only.

```bash
sudo tcpdump arp
```

`tcpdump ip6` — Capture IPv6 traffic only.

```bash
sudo tcpdump ip6
```

## BPF Filters — Combining

`tcpdump host HOST and port PORT` — Combine filters with AND.

```bash
sudo tcpdump host 192.168.1.1 and port 80
```

`tcpdump port 80 or port 443` — Combine filters with OR.

```bash
sudo tcpdump port 80 or port 443
```

`tcpdump not port PORT` — Exclude specific traffic with NOT.

```bash
sudo tcpdump not port 22
```

`tcpdump 'host HOST and (port 80 or port 443)'` — Use parentheses for grouping (quote the expression).

```bash
sudo tcpdump 'host 192.168.1.1 and (port 80 or port 443)'
```

`tcpdump 'not (port 22 or port 53)'` — Exclude multiple ports.

```bash
sudo tcpdump 'not (port 22 or port 53)'
```

## Advanced Filters

`tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'` — Capture only TCP SYN packets (new connections).

```bash
sudo tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
```

`tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'` — Capture only initial SYN packets (SYN without ACK).

```bash
sudo tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'
```

`tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'` — Capture TCP RST (reset) packets. Useful for finding refused connections.

```bash
sudo tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
```

`tcpdump 'tcp[tcpflags] & (tcp-fin) != 0'` — Capture TCP FIN packets (connection closures).

```bash
sudo tcpdump 'tcp[tcpflags] & (tcp-fin) != 0'
```

`tcpdump greater SIZE` — Capture only packets larger than SIZE bytes.

```bash
sudo tcpdump greater 500
```

`tcpdump less SIZE` — Capture only packets smaller than SIZE bytes.

```bash
sudo tcpdump less 100
```

`tcpdump ether host MAC` — Capture traffic to/from a specific MAC address.

```bash
sudo tcpdump ether host aa:bb:cc:dd:ee:ff
```

`tcpdump vlan VLANID` — Capture traffic on a specific VLAN.

```bash
sudo tcpdump vlan 100
```

## Common Capture Patterns

`tcpdump -i eth0 -nn -c 100 -w capture.pcap` — Quick capture: 100 packets, numeric, saved to file.

```bash
sudo tcpdump -i eth0 -nn -c 100 -w capture.pcap
```

`tcpdump -i any -nn port 80 -A` — Watch HTTP traffic in ASCII on all interfaces.

```bash
sudo tcpdump -i any -nn port 80 -A
```

`tcpdump -i any -nn port 53` — Monitor DNS queries and responses.

```bash
sudo tcpdump -i any -nn port 53
```

`tcpdump -i eth0 -nn icmp` — Monitor ICMP traffic (ping, traceroute, unreachable).

```bash
sudo tcpdump -i eth0 -nn icmp
```

`tcpdump -i any -nn 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'` — Watch all new incoming TCP connections.

```bash
sudo tcpdump -i any -nn 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'
```

`tcpdump -i any -nn host HOST and not port 22` — Monitor all traffic to/from a host except SSH.

```bash
sudo tcpdump -i any -nn host 192.168.1.1 and not port 22
```

`tcpdump -r capture.pcap -nn 'tcp[tcpflags] & (tcp-rst) != 0'` — Find RST packets in a captured file.

```bash
tcpdump -r capture.pcap -nn 'tcp[tcpflags] & (tcp-rst) != 0'
```

`tcpdump -i eth0 -tttt -nn -s0 -w long_capture.pcap &` — Background capture with timestamps and full packet data.

```bash
sudo tcpdump -i eth0 -tttt -nn -s0 -w long_capture.pcap &
```

<!-- PROSE:outro -->
## Conclusion

tcpdump is indispensable when you need to know what is actually crossing the wire – no logging framework gives you that picture more reliably. Save captures with `-w` as a pcap file and open them later in Wireshark for deeper analysis. For quick triage on a remote server, tcpdump alone is enough.

## Further Reading

- [tcpdump – official project site](https://www.tcpdump.org/) – downloads and documentation
- [tcpdump(1) – manual page](https://www.tcpdump.org/manpages/tcpdump.1.html) – all options and BPF filter reference
- [tcpdump – Wikipedia](https://en.wikipedia.org/wiki/Tcpdump) – background and history
<!-- PROSE:outro:end -->

## Related Commands

- [nmap](https://www.jpkc.com/db/en/cheatsheets/networking/nmap/) – scan networks and discover open ports
- [iftop](https://www.jpkc.com/db/en/cheatsheets/networking/iftop/) – display bandwidth usage per host in real time
- [socat](https://www.jpkc.com/db/en/cheatsheets/networking/socat/) – connect and debug bidirectional data streams