LinuxCommandLibrary

tcpdump

Capture and analyze network traffic

TLDR

List available network interfaces

$ tcpdump [[-D|--list-interfaces]]
copy

Capture the traffic of a specific interface
$ sudo tcpdump [[-i|--interface]] [eth0]
copy

Capture all TCP traffic showing contents ([A]SCII) in console
$ sudo tcpdump -A tcp
copy

Capture the traffic from or to a host
$ sudo tcpdump host [www.example.com]
copy

Capture the traffic from a specific interface, source, destination and destination port
$ sudo tcpdump [[-i|--interface]] [eth0] src [192.168.1.1] and dst [192.168.1.2] and dst port [80]
copy

Capture the traffic of a network
$ sudo tcpdump net [192.168.1.0/24]
copy

Capture all traffic except traffic over port 22 and [w]rite to a dump file
$ sudo tcpdump -w [dumpfile.pcap] port not [22]
copy

[r]ead from a given dump file
$ tcpdump -r [dumpfile.pcap]
copy

SYNOPSIS

tcpdump [ options ] [ expression ]
Common usage: tcpdump [ -i interface ] [ -n ] [ -v ] [ -A ] [ -s snaplen ] [ -w file ] [ -r file ] [ expression ]

PARAMETERS

-i
    Specifies the network interface to listen on (e.g., eth0, wlan0). If not specified, tcpdump selects the lowest numbered, configured interface (excluding loopback).

-n
    Don't convert host addresses to names. This speeds up output and avoids DNS lookups.

-nn
    Don't convert host addresses and port numbers to names. Even faster than -n.

-v
    Increases the verbosity of the output. Use -vv or -vvv for more detail.

-A
    Prints each packet (minus its link-level header) in ASCII. Useful for capturing web traffic or other text-based protocols.

-X
    Prints each packet (minus its link-level header) in hex and ASCII. Useful for deep inspection of packet contents.

-s
    Sets the snapshot length (bytes) to capture per packet. Default is usually 65535, capturing the full packet. Setting a smaller value reduces data stored.

-c
    Exit after receiving packets.

-w
    Write the raw packets to in pcap format, instead of parsing and printing them. This file can be opened by Wireshark.

-r
    Read packets from (which must be a pcap file created with the -w option).

-D
    List all network interfaces on which tcpdump can listen.


    A filtering expression that specifies which packets will be dumped. It's based on Berkeley Packet Filter (BPF) syntax.

DESCRIPTION

tcpdump is a powerful command-line packet analyzer tool for Unix-like operating systems. It allows users to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It can be used for network troubleshooting, security monitoring, and application debugging. tcpdump writes packets to standard output or a file, making it suitable for scripting and further analysis with tools like Wireshark. It supports a rich filtering language (BPF - Berkeley Packet Filter) to capture only specific traffic, saving resources and focusing the analysis. Its versatility makes it an indispensable tool for network administrators and security professionals.

CAVEATS

tcpdump typically requires root privileges (or sudo) to capture packets directly from the network interface. Improper use or capturing on high-traffic networks can lead to significant resource consumption (CPU, memory, disk I/O) and potentially impact network performance. The raw output can be voluminous and complex to interpret without understanding networking protocols; thus, captured files (.pcap) are often analyzed with graphical tools like Wireshark. Be mindful of disk space when capturing for extended periods or on busy links, as pcap files can grow very large quickly. Capturing on any interface might not always work as expected on some systems, and specifying a precise interface with -i is often preferred.

FILTER EXPRESSIONS (BPF)

tcpdump's power lies in its ability to filter captured traffic using complex expressions based on the Berkeley Packet Filter (BPF) syntax. These expressions can filter by host (e.g., host 192.168.1.1), port (e.g., port 80), protocol (e.g., tcp, udp, icmp), direction (src, dst), or even specific bit patterns within the packet. Combining these with logical operators (and, or, not) allows for highly granular control over what traffic is displayed or saved, significantly reducing the volume of data and focusing the analysis. Examples include host example.com and tcp port 80 or src net 10.0.0.0/8 and not port 22.

HISTORY

tcpdump was originally written in 1987 by Van Jacobson, Sally Floyd, Vern Paxson, and Steven McCanne at Lawrence Berkeley National Laboratory (LBNL). It was part of the libpcap library, which provides a portable API for network packet capture. The libpcap library (and thus tcpdump) quickly became a standard for network monitoring and analysis on Unix-like systems. Its development continued over the years, adapting to new protocols and operating system features, maintaining its status as a fundamental tool in network diagnostics and security. It remains widely used due to its efficiency, scriptability, and powerful filtering capabilities.

SEE ALSO

wireshark(1), tshark(1), netstat(8), ss(8), ip(8)

Copied to clipboard