tcpdump
Capture and display network packets on an interface
By CMD Script Team · 4 min read · Last updated
tcpdump [OPTIONS] [EXPRESSION]Options
| Flag | Description |
|---|---|
-i | Capture on a specific interface, e.g. -i eth0, or -i any for all interfaces |
-w | Write raw captured packets to a pcap file instead of printing them |
-r | Read and display packets from a previously saved pcap file |
-n | Don't resolve hostnames or ports to names; show raw IPs and port numbers |
-c | Capture only a fixed number of packets, then stop, e.g. -c 100 |
-X | Show packet contents in both hex and ASCII |
-v | Increase verbosity of the printed packet info (repeatable: -v, -vv, -vvv) |
-A | Print each packet's payload in ASCII, useful for readable protocols like HTTP |
Distribution compatibility
- Ubuntu
- Debian
- Fedora
- Arch
- macOS
What it does
tcpdump captures packets flowing through a network interface and prints a summary line
per packet (or the full contents, with the right flags), based on the libpcap library. It
lets you filter traffic by host, port, protocol, or arbitrary BPF (Berkeley Packet Filter)
expressions, making it the standard command-line tool for diagnosing connectivity issues,
inspecting what a service is actually sending on the wire, and capturing traffic to
analyze later in Wireshark.
Beginner examples
sudo tcpdump -i eth0— capture and print all traffic oneth0sudo tcpdump -i any— capture across all interfaces at oncesudo tcpdump -i eth0 -c 20— capture just 20 packets, then stopsudo tcpdump -i eth0 -n— skip DNS/hostname resolution for faster, rawer output
sudo tcpdump -i eth0 -c 20 -n
Advanced examples
- Filter to a specific port:
sudo tcpdump -i eth0 port 80 - Filter to a specific host's traffic in either direction:
sudo tcpdump -i eth0 host 10.0.0.5 - Combine expressions with
and/or:sudo tcpdump -i eth0 'tcp and port 443 and host 10.0.0.5' - Save a capture for later, deeper analysis in Wireshark:
sudo tcpdump -i eth0 -w capture.pcap - Inspect payload contents for a plaintext protocol like HTTP:
sudo tcpdump -i eth0 -A port 80
sudo tcpdump -i eth0 'tcp and port 443 and host 10.0.0.5' -w https_capture.pcap
Common mistakes
- Forgetting
sudo, which either fails outright or silently captures nothing depending on the system's permission model. - Leaving
tcpdumprunning unbounded on a busy interface and filling up disk with a huge-wcapture file — always pair long captures with-cor asnaplen/rotation strategy. - Not filtering at all and getting flooded with irrelevant traffic (ARP, broadcast noise, unrelated connections) when you only care about one host or port.
- Assuming
-i eth0always exists — interface names vary (ens33,enp0s3,wlan0); usetcpdump -Dorip linkto list available interfaces first.
Tips
- Use
-n(or-nnto also skip port-name resolution) when you want fast output and raw IPs/ports rather than reverse-DNS lookups slowing down the capture. - Combine
-w(save) with-r(read) as a two-step workflow: capture on the server quickly, then analyze the pcap file later without holding up the live system. tcpdump -Dlists all available capture interfaces by name and index — handy before picking one with-i.- Use single quotes around filter expressions with multiple words (
'port 80','tcp and host 10.0.0.5') so the shell doesn't split them into separate arguments.
Best practices
- Always scope captures with a filter expression in production — capturing "everything" on a busy interface is noisy, resource-intensive, and can expose sensitive payloads unnecessarily.
- Cap capture size with
-c <count>or a snaplen/duration limit to avoid filling disk, especially when writing to a file with-w. - Treat captured traffic as sensitive data — pcap files can contain credentials or personal data in plaintext protocols, so store and share them carefully.
- Prefer capturing to a file (
-w) and analyzing offline with Wireshark for anything beyond a quick live check; it's easier to filter, follow streams, and search after the fact.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Diagnosing why a service can't reach a downstream dependency by capturing traffic on the relevant port and confirming whether SYN packets are even leaving the box.
- Verifying that an application is actually using TLS as expected by capturing on port 443 and confirming a TLS handshake rather than plaintext traffic.
- Capturing a reproducible pcap of a bug (e.g. malformed DNS responses) to hand to another engineer or attach to a bug report for deeper analysis in Wireshark.
Common interview questions
- Why does tcpdump require root privileges? Capturing raw packets from a network
interface requires the
CAP_NET_RAWcapability, since it exposes traffic not addressed to the calling process — the kernel restricts this to privileged users. - How would you capture only HTTPS traffic to a specific server?
sudo tcpdump -i eth0 'tcp and port 443 and host <ip>'filters to just that host's TLS traffic. - How do you save a capture for offline analysis in Wireshark?
sudo tcpdump -i eth0 -w capture.pcapwrites raw packets to a pcap file that Wireshark (ortcpdump -r) can read later.
Frequently Asked Questions
Why does tcpdump require sudo?
Capturing raw packets off a network interface needs elevated privileges (CAP_NET_RAW), since it lets you see traffic not addressed to your own process. Run it as sudo tcpdump ...
How do I filter for a specific port, like HTTP traffic?
Use a filter expression: sudo tcpdump -i eth0 port 80 captures traffic on TCP or UDP port 80. Add tcp or udp to be specific, e.g. tcp port 443 for HTTPS.
How do I save a capture to analyze later in Wireshark?
Use -w to write raw packets to a pcap file: sudo tcpdump -i eth0 -w capture.pcap. Open that file in Wireshark, or replay it with tcpdump -r capture.pcap.
How do I capture traffic to/from a specific host?
Use the host filter: sudo tcpdump -i eth0 host 10.0.0.5 captures all traffic where that IP is either the source or destination.
Cheat sheet
Download a quick-reference cheat sheet for tcpdump.