How to Use tcpdump to Capture and Analyze Network Traffic
Sometimes, troubleshooting network issues requires capturing network traffic. tcpdump is a network traffic analyzer, or "sniffer," that allows you to intercept and analyze network traffic passing through the utility. This tool provides a rich set of options and various filters, making it versatile for different purposes. tcpdump is entirely console-based, meaning it doesn’t have a graphical interface, so it can be run on servers without GUI support. The first version of tcpdump was released back in 1988. Since then, it has been actively maintained, with new versions released every year.
This article will cover various scenarios for using tcpdump.
Prerequisites Copy link
To follow this tutorial, you will need:
- A cloud server or virtual machine with a Linux OS installed. Any Linux distribution will work.
- Access to the
rootuser or a user withsudoprivileges.
Installing tcpdump Copy link
We will install tcpdump on Ubuntu 22.04. The tcpdump package is available in the OS’s official repository. First, update the package index:
sudo apt updateNext, install the utility:
sudo apt -y install tcpdumpConfirm that the installation was successful by checking the tcpdump version:
tcpdump --versionNote that further use of the utility requires running it as the root user or a user with sudo privileges.
Running tcpdump Without Parameters Copy link
If you run tcpdump without any parameters, it will start capturing all traffic on all available interfaces in the system and display the data on the screen (stdout):
tcpdump
To stop the program, press Ctrl + C.
After each run, tcpdump provides the following information:
-
packets captured— shows the number of packets captured (packets that were received and processed bytcpdump). -
packets received by filter— shows the number of packets captured using filters. -
packets dropped by kernel— shows the number of packets dropped by the OS kernel.

By default, tcpdump does not save its output. We will discuss saving the output to a file later in the article.
tcpdump Output Format Copy link
Let's analyze the output of a captured packet using the TCP protocol as an example. By default, tcpdump displays the following data for each capture:
09:33:57.063196 IP nexus-test.com.ssh > 192.168.111.1.50653: Flags [P.], seq 27376:27440, ack 321, win 521, length 64The parameter descriptions are provided in the table below.
|
Parameter |
Description |
|
|
Timestamp. Uses the format |
|
|
Protocol used. |
|
|
Domain name (or IP address) and port of the source host. Here, |
|
|
Domain name (or IP address) and port of the destination host. |
|
|
ACK flag(s) used to indicate the connection state. Multiple values are possible. In this example, |
|
|
Sequence number of data in the packet. Shows the data range as bytes 27376 through 27440 in the packet. |
|
|
Acknowledgment of the received packet. |
|
|
Window size in bytes, showing the available buffer space for receiving data. |
|
|
Packet length in bytes, indicating the payload size as the difference between the first and last sequence bytes. |
Practical Use of tcpdump Copy link
Let’s move on to practical applications of tcpdump with examples.
Displaying a List of Network Interfaces Copy link
To list all network interfaces available in the system for traffic capture, use:
tcpdump -D
Capturing Traffic from a Specific Network Interface Copy link
By default, tcpdump captures traffic from all available interfaces. To capture traffic from a specific network interface (e.g., ens33), use:
tcpdump -i ens33
Disabling IP Address to Hostname Resolution Copy link
By default, tcpdump converts IP addresses to hostnames and replaces port numbers with service names. To prevent tcpdump from converting IP addresses to hostnames, add the -n option:
tcpdump -n
To disable both IP-to-hostname and port-to-service name conversions, use the -nn option:
tcpdump -nnCapturing a Specific Number of Packets Copy link
By default, tcpdump captures an unlimited number of packets. To capture a specified number of packets, for example, 4 packets, use the -c option:
tcpdump -c 4
Adding Date Information Copy link
tcpdump does not display the date of packet capture by default. To include the date in the output, use the -tttt option. The date will appear at the beginning of each line in the format year:month:day:
tcpdump -tttt
Packet Filtering in tcpdump Copy link
tcpdump has extensive filters that allow capturing only the desired packets. Here are some key filters.
Filtering by Port Copy link
To capture traffic on a specific port, use the port option. For example, to capture traffic on port 80 directed towards the destination, you can specify dst:
tcpdump dst -n port 80
You can also specify a range of ports:
tcpdump -n portrange 80-443
Filtering by Protocol Copy link
tcpdump supports filtering by protocols. Supported protocol values include: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, and ipv6. Examples for capturing specific protocols are:
tcpdump icmp
tcpdump tcp
tcpdump arp
tcpdump udp
Filtering by Packet Size Copy link
tcpdump allows capturing packets of a specified size using two options:
less— captures packets smaller than the specified number of bytes.greater— captures packets larger than the specified number of bytes.
Here are some examples:
Capture traffic with packets that are no more than 43 bytes in size:
tcpdump less 43
Capture traffic with packets larger than 43 bytes:
tcpdump greater 43
Note that the packet size includes header size: an Ethernet header without CRC occupies 14 bytes, an IPv4 header occupies 20 bytes, and an ICMP header occupies 8 bytes.
Filtering by MAC Address Copy link
To filter by MAC address, use the ether host option. For example, to capture any traffic sent to or from a specified MAC address (e.g., 00:0c:29:c7:00:3f), use:
tcpdump ether host 00:0c:29:c7:00:3f
Filtering by Source or Destination Address Copy link
You can filter traffic using the IP address or hostname of the source or destination.
To capture traffic originating from a specific host, use the src option:
tcpdump -nn src 192.168.36.132
To capture traffic directed to a specific host, use the dst option:
tcpdump -nn dst 192.168.36.132
Using Logical Operators in tcpdump Copy link
tcpdump supports various logical operators, allowing you to combine options. The following operators are supported:
andor&&— logical "AND." Combines multiple conditions and shows results matching all conditions.oror||— logical "OR." Combines multiple conditions and shows results matching at least one condition.notor!— logical "NOT." Excludes specified conditions, showing results that do not match the given condition.
Here are examples of using logical operators:
Capture packets sent from the host 192.168.36.132 and only those listening on port 22:
tcpdump -nn src 192.168.36.132 and port 22
Capture packets on all available interfaces that are listening on either port 22 or port 80:
tcpdump -nn port 22 or port 80
Capture all packets except ICMP packets:
tcpdump -nn not icmp
Saving Output to a File Copy link
As previously mentioned, tcpdump does not save its output to a file by default. To save captured data to a file, use the -w option, specifying the filename with a .pcap extension:
tcpdump -nn src 192.168.36.132 -w results.pcap
While saving to a file, results will not display in the terminal. To stop capturing packets, press CTRL + C.
To read the data saved in the file, use the -r option, followed by the filename where the tcpdump results were saved:
tcpdump -r results.pcap
Conclusion Copy link
tcpdump is a powerful command-line tool for analyzing networks and identifying issues. The utility supports a wide array of options, enabling users to filter for specific packet information.
And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.