Tcpdump Command in Linux

tcpdump is a command-line utility that you can use to capture and inspect network traffic going to and from your system. It is the most commonly used tool among network administrators for troubleshooting network issues and security testing.

Despite its name, with tcpdump, you can also capture non-TCP traffic such as UDP, ARP, or ICMP. The captured packets can be written to a file or standard output. One of the most powerful features of the tcpdump command is its ability to use filters and capture only the data you wish to analyze.

In this article, we cover the basics of how to use the tcpdump command in Linux.

Use tcpdump when you need a quick view of what is actually happening on the wire, for example to confirm traffic reaches a host, to troubleshoot a port, or to capture packets for later analysis.

Installing tcpdump #

tcpdump is installed by default on most Linux distributions and macOS. To check if the tcpdump command is available on your system type:

tcpdump --version

The output should look something like this:

tcpdump version 4.99.5
libpcap version 1.10.5 (with TPACKET_V3)
OpenSSL 3.5.3 16 Sep 2025
64-bit build, 64-bit time_t

If tcpdump is not present on your system, the command above prints “tcpdump: command not found”. You can easily install tcpdump using the package manager of your distro.

Installing tcpdump on Ubuntu and Debian #

sudo apt update && sudo apt install tcpdump

Installing tcpdump on Fedora, RHEL, and Derivatives #

sudo dnf install tcpdump

Installing tcpdump on Arch Linux #

sudo pacman -S tcpdump

Capturing Packets with tcpdump #

The general syntax for the tcpdump command is as follows:

tcpdump [options] [expression]

• The command options allow you to control the behavior of the command.
• The filter expression defines which packets are captured.

Only root or a user with sudo privileges can run tcpdump. If you try to run the command as an unprivileged user, you will get an error saying: “You don’t have permission to capture on that device”.

The simplest use case is to invoke tcpdump without any options and filters:

sudo tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:24.248737 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248785 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36
15:47:24.248828 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

... Long output suppressed

23116 packets captured
23300 packets received by filter
184 packets dropped by kernel

tcpdump continues to capture packets and write to the standard output until it receives an interrupt signal. Use the Ctrl+C key combination to send an interrupt signal and stop the command.

For more verbose output, pass the -v option, or -vv for even more verbose output:

sudo tcpdump -vv

You can specify the number of packets to be captured using the -c option. For example, to capture only ten packets, you would type:

sudo tcpdump -c 10

After capturing the packets, tcpdump stops.

When no interface is specified, tcpdump uses the first interface it finds and dumps all packets going through that interface.

Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from:

sudo tcpdump -D

For each interface, the command prints the interface name, a short description, and an associated index (number):

1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]

The output above shows that ens3 is the first interface found by tcpdump and used when no interface is provided to the command. The second interface any is a special device that allows you to capture all active interfaces.

To specify the interface on which you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the any interface:

sudo tcpdump -i any

The any interface is available on Linux. On macOS, you need to pick a specific interface.

By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation:

sudo tcpdump -n

Skipping the DNS lookup avoids generating DNS traffic and makes the output more readable. It is recommended to use this option whenever you invoke tcpdump. Use -nn to also skip port name lookup.

For example, -n shows port numbers, while -nn avoids looking up service names like ssh or http.

Instead of displaying the output on the screen, you can redirect it to a file using the redirection operators > and >>:

sudo tcpdump -n -i any > file.out

You can also watch the data while saving to a file using the tee command:

sudo tcpdump -n -l | tee file.out

The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output is not written on the screen when a new line is generated.

Here are some common options you can combine:

• -i - Select interface.
• -n / -nn - Disable DNS and service name resolution.
• -c - Stop after a specific number of packets.
• -v / -vv - Increase verbosity.
• -s 0 - Capture full packets (no snap length limit).
• -w / -r - Write to or read from a capture file.

Understanding the tcpdump Output #

tcpdump outputs information for each captured packet on a new line. Each line includes a timestamp and information about that packet, depending on the protocol.

The typical format of a TCP protocol line is as follows:

[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]

Let’s go field by field and explain the following line:

15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

• 15:47:24.248737 - The timestamp of the captured packet is in local time and uses the following format: hours:minutes:seconds.frac, where frac is fractions of a second since midnight.

• IP - The packet protocol. In this case, IP means the Internet protocol version 4 (IPv4).

• 192.168.1.185.22 - The source IP address and port, separated by a dot (.).

• 192.168.1.150.37445 - The destination IP address and port, separated by a dot (.).

• Flags [P.] - TCP Flags field. In this example, [P.] means Push Acknowledgment packet, which is used to acknowledge the previous packet and send data. Other typical flag field values are as follows:

  • [.] - ACK (Acknowledgment)
  • [S] - SYN (Start Connection)
  • [P] - PSH (Push Data)
  • [F] - FIN (Finish Connection)
  • [R] - RST (Reset Connection)
  • [S.] - SYN-ACK (SynAcK Packet)

• seq 201747193:201747301 - The sequence number is in the first:last notation. It shows the number of data contained in the packet. Except for the first packet in the data stream where these numbers are absolute, all subsequent packets use as relative byte positions. In this example, the number is 201747193:201747301, meaning that this packet contains bytes 201747193 to 201747301 of the data stream. Use the -S option to print absolute sequence numbers.

• ack 1226568763 The acknowledgment number is the sequence number of the next data expected by the other end of this connection.

• win 402 - The window number is the number of available bytes in the receiving buffer.

• options [nop,nop,TS val 1051794587 ecr 2679218230] - TCP options. nop, or “no operation” is padding used to make the TCP header multiple of 4 bytes. TS val is a TCP timestamp, and ecr stands for an echo reply. Visit the IANA documentation for more information about TCP options.

• length 108 - The length of payload data

tcpdump Filters #

When tcpdump is invoked with no filters, it captures all traffic and produces a huge amount of output that makes it very difficult to find and analyze the packets of interest.

Filters are one of the most powerful features of the tcpdump command. They allow you to capture only those packets matching the expression. For example, when troubleshooting issues related to a web server, you can use filters to obtain only the HTTP traffic.

tcpdump uses the Berkeley Packet Filter (BPF) syntax to filter the captured packets using various matching parameters such as protocols, source and destination IP addresses and ports, etc.

In this article, we will look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.

Filtering by Protocol #

To restrict the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic, you would run:

sudo tcpdump -n udp

Another way to define the protocol is to use the proto qualifier, followed by the protocol number. The following command filters the protocol number 17 and produces the same result as the one above:

sudo tcpdump -n proto 17

For more information about the numbers, check the IP protocol numbers list.

Filtering by Host #

To capture only packets related to a specific host, use the host qualifier:

sudo tcpdump -n host 192.168.1.185

The host can be either an IP address or a name.

You can also filter the output to a given IP range using the net qualifier. For example, to dump only packets related to 10.10.0.0/16 you would use:

sudo tcpdump -n net 10.10

Filtering by Port #

To limit capture only to packets from or to a specific port, use the port qualifier. The command below captures packets related to the SSH (port 22) service by using this command:

sudo tcpdump -n port 22

To check whether a service is receiving HTTPS traffic:

sudo tcpdump -n port 443

The portrange qualifier allows you to capture traffic in a range of ports:

sudo tcpdump -n portrange 110-150

Filtering by Source and Destination #

You can also filter packets based on the source or destination port or host using the src, dst, src and dst, and src or dst qualifiers.

The following command captures packets from a host with IP 192.168.1.185:

sudo tcpdump -n src host 192.168.1.185

To find the traffic coming from any source to port 80, you would use:

sudo tcpdump -n dst port 80

Complex Filters #

Filters can be combined using the and (&&), or (||), and not (!) operators.

For example, to capture all HTTP traffic coming from a source IP address 192.168.1.185 you would use this command:

sudo tcpdump -n src 192.168.1.185 and tcp port 80

You can also use parentheses to group and create more complex filters:

sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'

To avoid parsing errors when using special characters, enclose the filters inside single quotes.

Here is another example command to capture all traffic except SSH from a source IP address 192.168.1.185:

sudo tcpdump -n src 192.168.1.185 and not dst port 22

Packet Inspection #

By default, tcpdump captures only the packet headers. However, sometimes you may need to inspect the content of the packets.

tcpdump allows you to print the content of the packets in ASCII and HEX.

If you need full payloads, add -s 0 to avoid truncation.

The -A option tells tcpdump to print each packet in ASCII and -x in HEX:

sudo tcpdump -n -A

To show the packet’s contents in both HEX and ASCII use the -X option:

sudo tcpdump -n -X

Reading and Writing Captures to a File #

Another useful feature of tcpdump is to write the packets to a file. This is handy when you are capturing a large number of packets or capturing packets for later analysis.

To start writing to a file, use the -w option followed by the output capture file:

sudo tcpdump -n -w data.pcap

This command saves the capture to a file named data.pcap. You can name the file as you want, but it is a common convention to use the .pcap extension (packet capture).

When the -w option is used, the output is not displayed on the screen. tcpdump writes raw packets and creates a binary file that cannot be read with a regular text editor.

To inspect the contents of the file, invoke tcpdump with the -r option:

sudo tcpdump -r data.pcap

If you want to run tcpdump in the background , add the ampersand symbol (&) at the end of the command.

The capture file can also be inspected with other packet analyzer tools such as Wireshark.

When capturing packets over a long period of time, you can enable file rotation. tcpdump allows you to create new files and rotate the dump file on a specified time interval or fixed size. The following command creates up to ten 200MB files, named file.pcap0, file.pcap1, and so on, before overwriting older files.

sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap

Once ten files are generated, the older files are overwritten.

If you want to start tcpdump at a specific time, you can use a cronjob . tcpdump does not have an option to exit after a given time. You can use the timeout command to stop tcpdump after some time. For example, to exit after 5 minutes, you would use:

sudo timeout 300 tcpdump -n -w data.pcap

Conclusion #

tcpdump is the go-to tool for a quick look at what is actually happening on the wire. Start with -n and a specific interface to avoid DNS noise, add a filter expression to narrow the capture, and use -w to save packets for deeper analysis in Wireshark. For the full filter syntax, see the pcap-filter manpage.

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page