tcpdump prints packet headers and payloads matching an expression. It works at the raw socket level and sees everything that crosses the network interface.

Basics

tcpdump -i eth0

Capture on interface eth0. Without -i, tcpdump picks the first available interface.

Don’t resolve names

tcpdump -nn

The -n flag skips DNS lookups for IPs, and a second n skips port-to-service resolution. Always use -nn — it’s faster and produces cleaner output.

Save to file

tcpdump -w capture.pcap
tcpdump -r capture.pcap

Write raw packets to a file with -w, read them back with -r. PCAP files can be opened in Wireshark for deeper analysis.

Limit packet count

tcpdump -c 100

Exit after capturing 100 packets. Essential when troubleshooting — you rarely need millions of packets.

BPF Filter Expressions

tcpdump uses Berkeley Packet Filter (BPF) syntax — powerful, compact, and essential to master.

By host

# Traffic to or from a specific host
tcpdump host 10.0.0.5
 
# Traffic from a source
tcpdump src 10.0.0.5
 
# Traffic to a destination
tcpdump dst 10.0.0.5

By port

tcpdump port 80
tcpdump portrange 8000-9000
tcpdump src port 443

By protocol

tcpdump icmp
tcpdump arp
tcpdump tcp
tcpdump udp
tcpdump ip
tcpdump ip6

Combining filters

# TCP on port 443 that is not from 10.0.0.1
tcpdump tcp port 443 and not host 10.0.0.1
 
# DNS queries only
tcpdump port 53 and udp
 
# SSH traffic or HTTP traffic
tcpdump port 22 or port 80

Useful Flags

-A — See payload in ASCII

tcpdump -A port 80

Prints each packet’s payload as ASCII. Useful for inspecting HTTP request bodies or response content.

-X — Hex + ASCII

tcpdump -X port 443

Shows packets in both hex and ASCII. Essential for analyzing binary protocols.

-e — Link-level headers

tcpdump -e

Shows MAC addresses. Useful when diagnosing ARP issues or switch-level problems.

-v, -vv, -vvv — Verbosity

tcpdump -vv port 53

More vs give more detail — TTL, IP options, TCP options, checksums.

-s — Snapshot length

tcpdump -s 0

-s 0 captures the entire packet. Default is 262144 bytes. For performance, limit with -s 1500 (MTU-sized) to skip large packet payloads.

Real-World Scenarios

Scenario 1: Is DNS working?

tcpdump -nn -c 10 port 53

Trigger a DNS lookup and watch the query and response. If you see queries but no responses, DNS is blocked. If you see “NXDOMAIN”, the record doesn’t exist.

Scenario 2: Slow HTTP responses

tcpdump -nn -i any tcp port 80

Watch the TCP handshake. A delayed SYN-ACK suggests the server is overloaded or the network path has issues. Use -w and analyze timing in Wireshark.

Scenario 3: Is the server actually sending data?

A client reports “no response” from the server. Capture server-side:

tcpdump -nn -i eth0 tcp port 8080 -c 100 -w /tmp/server.pcap

If you see the server sending SYN-ACK and data, the problem is the network path or the client. If the server never sees the SYN, the traffic isn’t reaching it.

Scenario 4: Find the culprit IP during an attack

tcpdump -nn -c 10000 -w /tmp/dump.pcap

Then analyze:

tcpdump -r /tmp/dump.pcap -nn | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

This shows the top source IPs by packet count.

Reading tcpdump Output

13:45:12.123456 IP 10.0.0.1.54322 > 10.0.0.2.80: Flags [S], seq 12345, win 65535

• Timestamp: 13:45:12.123456
• Protocol: IP
• Source: 10.0.0.1 port 54322
• Direction: > (outgoing)
• Dest: 10.0.0.2 port 80
• TCP Flags: [S] (SYN)

Common TCP flags:

• [S] — SYN (connection start)
• [.] — ACK (acknowledgment)
• [P] — PUSH (data being sent)
• [F] — FIN (connection close)
• [R] — RST (connection reset — usually indicates an error)

Performance in Production

On high-throughput interfaces, tcpdump itself can drop packets:

tcpdump -nn -i eth0 -c 100000 2>&1 | grep dropped

If you see packet drops, use a larger buffer:

tcpdump -B 4096 -nn -i eth0

Or capture only what you need with precise BPF filters. Never run tcpdump -i any on a 10Gbps interface without a filter — you will drop most packets and potentially saturate CPU.