tcpdump

Capture packets on default interface

$ tcpdump

$ tcpdump -i [eth0]

$ tcpdump host [192.168.1.1]

$ tcpdump port [80]

$ tcpdump -w [capture.pcap]

$ tcpdump -r [capture.pcap]

$ tcpdump -v

$ tcpdump -A port [80]

$ tcpdump icmp

$ tcpdump -c [100]

$ tcpdump -n

tcpdump [options] [filter expression]

tcpdump is a packet analyzer that captures and displays network traffic. It uses libpcap to capture packets from network interfaces and can filter traffic using Berkeley Packet Filter (BPF) syntax.
The tool can capture packets in real-time, display their contents in various formats, and save them to files for later analysis. Output can show packet headers, full content, or hexadecimal dumps.
tcpdump is essential for network troubleshooting, security analysis, and protocol debugging. It's the command-line counterpart to graphical tools like Wireshark.

-i interface

Capture on specific interface.

Write packets to file.

Read packets from file.

Capture only count packets.

Don't resolve hostnames.

Don't resolve hostnames or ports.

Verbose output levels.

Print packets in ASCII.

Print packets in hex and ASCII.

Capture snaplen bytes per packet (0=full).

Print link-layer header.

Quick output (less protocol info).

List available interfaces.

host ip: Filter by host
port num: Filter by port
src/dst: Source or destination
tcp/udp/icmp: Protocol types
and/or/not: Boolean operators
Example: `tcpdump 'tcp port 80 and host 192.168.1.1'`

Requires root privileges. Packet capture can impact performance on high-traffic networks. Full packet capture uses significant disk space. Some protocols are encrypted and contents cannot be viewed.

tcpdump was originally written by Van Jacobson, Craig Leres, and Steven McCanne at the Lawrence Berkeley National Laboratory in 1988. It became the foundation for network packet analysis on Unix systems. The libpcap library was extracted from tcpdump and is now used by many network analysis tools including Wireshark.

wireshark(1), tshark(1), ngrep(1), pcap(3)