tcpdump — Analyze Network Traffic from the Command Line

tcpdump is the classic command-line packet analyzer: BPF filters let you narrow a capture to exactly the traffic you care about – a single host, a specific port, or a particular TCP flag state. Whether you are diagnosing a network issue, debugging a protocol, or investigating suspicious traffic, tcpdump delivers the raw data straight from the kernel, no GUI required.

Basic Capture

tcpdump — Capture all packets on the default interface. Requires root.

sudo tcpdump

tcpdump -i INTERFACE — Capture on a specific interface.

sudo tcpdump -i eth0

tcpdump -i any — Capture on all interfaces simultaneously.

sudo tcpdump -i any

tcpdump -c COUNT — Capture a specific number of packets and stop.

sudo tcpdump -c 100

tcpdump -D — List all available network interfaces for capturing.

tcpdump -D

Output Options

tcpdump -n — Numeric output — do not resolve hostnames.

sudo tcpdump -n

tcpdump -nn — Do not resolve hostnames or port names.

sudo tcpdump -nn

tcpdump -v — Verbose output — show TTL, identification, total length, IP options.

sudo tcpdump -v

tcpdump -vv — More verbose — additional protocol-level details.

sudo tcpdump -vv

tcpdump -vvv — Maximum verbosity.

sudo tcpdump -vvv

tcpdump -q — Quiet output — print less protocol information per line.

sudo tcpdump -q

tcpdump -e — Show link-layer (Ethernet) header information (MAC addresses).

sudo tcpdump -e

tcpdump -t — Do not print timestamps.

sudo tcpdump -t

tcpdump -tt — Print UNIX epoch timestamps.

sudo tcpdump -tt

tcpdump -ttt — Print time delta between packets.

sudo tcpdump -ttt

tcpdump -tttt — Print human-readable date and time.

sudo tcpdump -tttt

Packet Content Display

tcpdump -X — Print packet data in hex and ASCII.

sudo tcpdump -X -c 5

tcpdump -XX — Print packet data in hex and ASCII, including the link-layer header.

sudo tcpdump -XX -c 5

tcpdump -A — Print packet data in ASCII only. Useful for reading HTTP traffic.

sudo tcpdump -A port 80

tcpdump -s SIZE — Set the capture snapshot length in bytes (default: 262144). Use 0 for full packets.

sudo tcpdump -s 0

tcpdump -s 96 — Capture only headers (96 bytes). Saves space for large captures.

sudo tcpdump -s 96

File Operations

tcpdump -w FILE — Write captured packets to a pcap file.

sudo tcpdump -w capture.pcap

tcpdump -r FILE — Read and display packets from a pcap file.

tcpdump -r capture.pcap

tcpdump -r FILE -nn — Read a pcap file with numeric output.

tcpdump -r capture.pcap -nn

tcpdump -w FILE -C SIZE_MB — Rotate capture files after SIZE megabytes.

sudo tcpdump -w capture.pcap -C 100

tcpdump -w FILE -W COUNT -C SIZE_MB — Rotate through COUNT files, each up to SIZE MB (ring buffer).

sudo tcpdump -w capture.pcap -W 5 -C 100

tcpdump -w FILE -G SECONDS — Rotate capture files every SECONDS. Use strftime format in filename.

sudo tcpdump -w capture_%Y%m%d_%H%M%S.pcap -G 3600

BPF Filters — Host & Network

tcpdump host HOST — Capture traffic to or from a specific host.

sudo tcpdump host 192.168.1.1

tcpdump src host HOST — Capture traffic from a specific source.

sudo tcpdump src host 192.168.1.100

tcpdump dst host HOST — Capture traffic to a specific destination.

sudo tcpdump dst host 8.8.8.8

tcpdump net NETWORK/CIDR — Capture traffic to or from a network.

sudo tcpdump net 192.168.1.0/24

tcpdump src net NETWORK/CIDR — Capture traffic from a network.

sudo tcpdump src net 10.0.0.0/8

BPF Filters — Port & Protocol

tcpdump port PORT — Capture traffic on a specific port (TCP and UDP).

sudo tcpdump port 80

tcpdump src port PORT — Capture traffic from a specific source port.

sudo tcpdump src port 443

tcpdump dst port PORT — Capture traffic to a specific destination port.

sudo tcpdump dst port 22

tcpdump portrange START-END — Capture traffic on a range of ports.

sudo tcpdump portrange 8000-9000

tcpdump tcp — Capture TCP traffic only.

sudo tcpdump tcp

tcpdump udp — Capture UDP traffic only.

sudo tcpdump udp

tcpdump icmp — Capture ICMP traffic only.

sudo tcpdump icmp

tcpdump arp — Capture ARP traffic only.

sudo tcpdump arp

tcpdump ip6 — Capture IPv6 traffic only.

sudo tcpdump ip6

BPF Filters — Combining

tcpdump host HOST and port PORT — Combine filters with AND.

sudo tcpdump host 192.168.1.1 and port 80

tcpdump port 80 or port 443 — Combine filters with OR.

sudo tcpdump port 80 or port 443

tcpdump not port PORT — Exclude specific traffic with NOT.

sudo tcpdump not port 22

tcpdump 'host HOST and (port 80 or port 443)' — Use parentheses for grouping (quote the expression).

sudo tcpdump 'host 192.168.1.1 and (port 80 or port 443)'

tcpdump 'not (port 22 or port 53)' — Exclude multiple ports.

sudo tcpdump 'not (port 22 or port 53)'

Advanced Filters

tcpdump 'tcp[tcpflags] & (tcp-syn) != 0' — Capture only TCP SYN packets (new connections).

sudo tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn' — Capture only initial SYN packets (SYN without ACK).

sudo tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'

tcpdump 'tcp[tcpflags] & (tcp-rst) != 0' — Capture TCP RST (reset) packets. Useful for finding refused connections.

sudo tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

tcpdump 'tcp[tcpflags] & (tcp-fin) != 0' — Capture TCP FIN packets (connection closures).

sudo tcpdump 'tcp[tcpflags] & (tcp-fin) != 0'

tcpdump greater SIZE — Capture only packets larger than SIZE bytes.

sudo tcpdump greater 500

tcpdump less SIZE — Capture only packets smaller than SIZE bytes.

sudo tcpdump less 100

tcpdump ether host MAC — Capture traffic to/from a specific MAC address.

sudo tcpdump ether host aa:bb:cc:dd:ee:ff

tcpdump vlan VLANID — Capture traffic on a specific VLAN.

sudo tcpdump vlan 100

Common Capture Patterns

tcpdump -i eth0 -nn -c 100 -w capture.pcap — Quick capture: 100 packets, numeric, saved to file.

sudo tcpdump -i eth0 -nn -c 100 -w capture.pcap

tcpdump -i any -nn port 80 -A — Watch HTTP traffic in ASCII on all interfaces.

sudo tcpdump -i any -nn port 80 -A

tcpdump -i any -nn port 53 — Monitor DNS queries and responses.

sudo tcpdump -i any -nn port 53

tcpdump -i eth0 -nn icmp — Monitor ICMP traffic (ping, traceroute, unreachable).

sudo tcpdump -i eth0 -nn icmp

tcpdump -i any -nn 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn' — Watch all new incoming TCP connections.

sudo tcpdump -i any -nn 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'

tcpdump -i any -nn host HOST and not port 22 — Monitor all traffic to/from a host except SSH.

sudo tcpdump -i any -nn host 192.168.1.1 and not port 22

tcpdump -r capture.pcap -nn 'tcp[tcpflags] & (tcp-rst) != 0' — Find RST packets in a captured file.

tcpdump -r capture.pcap -nn 'tcp[tcpflags] & (tcp-rst) != 0'

tcpdump -i eth0 -tttt -nn -s0 -w long_capture.pcap & — Background capture with timestamps and full packet data.

sudo tcpdump -i eth0 -tttt -nn -s0 -w long_capture.pcap &

Conclusion

tcpdump is indispensable when you need to know what is actually crossing the wire – no logging framework gives you that picture more reliably. Save captures with -w as a pcap file and open them later in Wireshark for deeper analysis. For quick triage on a remote server, tcpdump alone is enough.

Further Reading

• tcpdump – official project site – downloads and documentation
• tcpdump(1) – manual page – all options and BPF filter reference
• tcpdump – Wikipedia – background and history

Related Commands

• nmap – scan networks and discover open ports
• iftop – display bandwidth usage per host in real time
• socat – connect and debug bidirectional data streams