>_cmd.script

tcpdump

Capture and display network packets on an interface

Networking

By CMD Script Team · 4 min read · Last updated

SYNTAX
tcpdump [OPTIONS] [EXPRESSION]

Options

Command options and flags
FlagDescription
-iCapture on a specific interface, e.g. -i eth0, or -i any for all interfaces
-wWrite raw captured packets to a pcap file instead of printing them
-rRead and display packets from a previously saved pcap file
-nDon't resolve hostnames or ports to names; show raw IPs and port numbers
-cCapture only a fixed number of packets, then stop, e.g. -c 100
-XShow packet contents in both hex and ASCII
-vIncrease verbosity of the printed packet info (repeatable: -v, -vv, -vvv)
-APrint each packet's payload in ASCII, useful for readable protocols like HTTP

Distribution compatibility

  • Ubuntu
  • Debian
  • Fedora
  • Arch
  • macOS

What it does

tcpdump captures packets flowing through a network interface and prints a summary line per packet (or the full contents, with the right flags), based on the libpcap library. It lets you filter traffic by host, port, protocol, or arbitrary BPF (Berkeley Packet Filter) expressions, making it the standard command-line tool for diagnosing connectivity issues, inspecting what a service is actually sending on the wire, and capturing traffic to analyze later in Wireshark.

Beginner examples

  • sudo tcpdump -i eth0 — capture and print all traffic on eth0
  • sudo tcpdump -i any — capture across all interfaces at once
  • sudo tcpdump -i eth0 -c 20 — capture just 20 packets, then stop
  • sudo tcpdump -i eth0 -n — skip DNS/hostname resolution for faster, rawer output
sudo tcpdump -i eth0 -c 20 -n

Advanced examples

  • Filter to a specific port: sudo tcpdump -i eth0 port 80
  • Filter to a specific host's traffic in either direction: sudo tcpdump -i eth0 host 10.0.0.5
  • Combine expressions with and/or: sudo tcpdump -i eth0 'tcp and port 443 and host 10.0.0.5'
  • Save a capture for later, deeper analysis in Wireshark: sudo tcpdump -i eth0 -w capture.pcap
  • Inspect payload contents for a plaintext protocol like HTTP: sudo tcpdump -i eth0 -A port 80
sudo tcpdump -i eth0 'tcp and port 443 and host 10.0.0.5' -w https_capture.pcap

Common mistakes

  • Forgetting sudo, which either fails outright or silently captures nothing depending on the system's permission model.
  • Leaving tcpdump running unbounded on a busy interface and filling up disk with a huge -w capture file — always pair long captures with -c or a snaplen/rotation strategy.
  • Not filtering at all and getting flooded with irrelevant traffic (ARP, broadcast noise, unrelated connections) when you only care about one host or port.
  • Assuming -i eth0 always exists — interface names vary (ens33, enp0s3, wlan0); use tcpdump -D or ip link to list available interfaces first.

Tips

  • Use -n (or -nn to also skip port-name resolution) when you want fast output and raw IPs/ports rather than reverse-DNS lookups slowing down the capture.
  • Combine -w (save) with -r (read) as a two-step workflow: capture on the server quickly, then analyze the pcap file later without holding up the live system.
  • tcpdump -D lists all available capture interfaces by name and index — handy before picking one with -i.
  • Use single quotes around filter expressions with multiple words ('port 80', 'tcp and host 10.0.0.5') so the shell doesn't split them into separate arguments.

Best practices

  • Always scope captures with a filter expression in production — capturing "everything" on a busy interface is noisy, resource-intensive, and can expose sensitive payloads unnecessarily.
  • Cap capture size with -c <count> or a snaplen/duration limit to avoid filling disk, especially when writing to a file with -w.
  • Treat captured traffic as sensitive data — pcap files can contain credentials or personal data in plaintext protocols, so store and share them carefully.
  • Prefer capturing to a file (-w) and analyzing offline with Wireshark for anything beyond a quick live check; it's easier to filter, follow streams, and search after the fact.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Diagnosing why a service can't reach a downstream dependency by capturing traffic on the relevant port and confirming whether SYN packets are even leaving the box.
  • Verifying that an application is actually using TLS as expected by capturing on port 443 and confirming a TLS handshake rather than plaintext traffic.
  • Capturing a reproducible pcap of a bug (e.g. malformed DNS responses) to hand to another engineer or attach to a bug report for deeper analysis in Wireshark.

Common interview questions

  • Why does tcpdump require root privileges? Capturing raw packets from a network interface requires the CAP_NET_RAW capability, since it exposes traffic not addressed to the calling process — the kernel restricts this to privileged users.
  • How would you capture only HTTPS traffic to a specific server? sudo tcpdump -i eth0 'tcp and port 443 and host <ip>' filters to just that host's TLS traffic.
  • How do you save a capture for offline analysis in Wireshark? sudo tcpdump -i eth0 -w capture.pcap writes raw packets to a pcap file that Wireshark (or tcpdump -r) can read later.

Frequently Asked Questions

Why does tcpdump require sudo?

Capturing raw packets off a network interface needs elevated privileges (CAP_NET_RAW), since it lets you see traffic not addressed to your own process. Run it as sudo tcpdump ...

How do I filter for a specific port, like HTTP traffic?

Use a filter expression: sudo tcpdump -i eth0 port 80 captures traffic on TCP or UDP port 80. Add tcp or udp to be specific, e.g. tcp port 443 for HTTPS.

How do I save a capture to analyze later in Wireshark?

Use -w to write raw packets to a pcap file: sudo tcpdump -i eth0 -w capture.pcap. Open that file in Wireshark, or replay it with tcpdump -r capture.pcap.

How do I capture traffic to/from a specific host?

Use the host filter: sudo tcpdump -i eth0 host 10.0.0.5 captures all traffic where that IP is either the source or destination.

Cheat sheet

Download a quick-reference cheat sheet for tcpdump.