Tcpdump Command in Linux
11 min read
tcpdump is a command-line utility that you can use to capture and inspect network traffic going to and from your system. It is the most commonly used tool among network administrators for troubleshooting network issues and security testing.
Despite its name, with
tcpdump, you can also capture non-TCP traffic such as UDP, ARP, or ICMP. The captured packets can be written to a file or standard output. One of the most powerful features of the
tcpdump command is its ability to use filters and capture only the data you wish to analyze.
In this article, we will cover the basics of how to use the
tcpdump command in Linux.
tcpdump is installed by default on most Linux distributions and macOS. To check if the
tcpdump command is available on your system type:
The output should look something like this:
tcpdump version 4.9.2 libpcap version 1.8.1 OpenSSL 1.1.1b 26 Feb 2019
tcpdump is not present on your system, the command above will print “tcpdump: command not found”. You can easily install
tcpdump using the package manager of your distro.
tcpdump on Ubuntu and Debian
sudo apt update && sudo apt install tcpdump
tcpdump on CentOS and Fedora
sudo yum install tcpdump
tcpdump on Arch Linux
sudo pacman -S tcpdump
Capturing Packets with
The general syntax for the
tcpdump command is as follows:
tcpdump [options] [expression]
- The command
optionsallow you to control the behavior of the command.
- The filter
expressiondefines which packets will be captured.
Only root or user with
privileges can run
tcpdump. If you try to run the command as an unprivileged user, you’ll get an error saying: “You don’t have permission to capture on that device”.
The most simple use case is to invoke
tcpdump without any options and filters:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes 15:47:24.248737 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108 15:47:24.248785 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36 15:47:24.248828 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108 ... Long output suppressed 23116 packets captured 23300 packets received by filter 184 packets dropped by kernel
tcpdump will continue to capture packets and write to the standard output until it receives an interrupt signal. Use the
Ctrl+C key combination to send an interrupt signal and stop the command.
For more verbose output, pass the
-v option, or
-vv for even more verbose output:
sudo tcpdump -vv
You can specify the number of packets to be captured using the
-c option. For example, to capture only ten packets, you would type:
sudo tcpdump -c 10
After capturing the packets,
tcpdump will stop.
When no interface is specified,
tcpdump uses the first interface it finds and dumps all packets going through that interface.
-D option to print a list of all available network interfaces that tcpdump can collect packets from:
sudo tcpdump -D
For each interface, the command prints the interface name, a short description, and an associated index (number):
1.ens3 [Up, Running] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback]
The output above shows that
ens3 is the first interface found by
tcpdump and used when no interface is provided to the command. The second interface
any is a special device that allows you to capture all active interfaces.
To specify the interface on which you want to capture traffic, invoke the command with the
-i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the
sudo tcpdump -i any
tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the
-n option to disable the translation:
sudo tcpdump -n
Skipping the DNS lookup avoids generating DNS traffic and makes the output more readable. It is recommended to use this option whenever you invoke
Instead of displaying the output on the screen, you can redirect it to a file using the redirection operators
sudo tcpdump -n -i any > file.out
You can also watch the data while saving to a file using the
sudo tcpdump -n -l | tee file.out
-l option in the command above tells
tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.
tcpdump outputs information for each captured packet on a new line. Each line includes a timestamp and information about that packet, depending on the protocol.
The typical format of a TCP protocol line is as follows:
[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]
Let’s go field by field and explain the following line:
15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248737- The timestamp of the captured packet is in local time and uses the following format:
fracis fractions of a second since midnight.
IP- The packet protocol. In this case, IP means the Internet protocol version 4 (IPv4).
192.168.1.185.22- The source IP address and port, separated by a dot (
192.168.1.150.37445- The destination IP address and port, separated by a dot (
Flags [P.]- TCP Flags field. In this example,
[P.]means Push Acknowledgment packet, which is used to acknowledge the previous packet and send data. Other typical flag field values are as follows:
- [.] - ACK (Acknowledgment)
- [S] - SYN (Start Connection)
- [P] - PSH (Push Data)
- [F] - FIN (Finish Connection)
- [R] - RST (Reset Connection)
- [S.] - SYN-ACK (SynAcK Packet)
seq 201747193:201747301- The sequence number is in the
first:lastnotation. It shows the number of data contained in the packet. Except for the first packet in the data stream where these numbers are absolute, all subsequent packets use as relative byte positions. In this example, the number is
201747193:201747301, meaning that this packet contains bytes 201747193 to 201747301 of the data stream. Use the
-Soption to print absolute sequence numbers.
ack 1226568763The acknowledgment number is the sequence number of the next data expected by the other end of this connection.
win 402- The window number is the number of available bytes in the receiving buffer.
options [nop,nop,TS val 1051794587 ecr 2679218230]- TCP options.
nop, or “no operation” is padding used to make the TCP header multiple of 4 bytes.
TS valis a TCP timestamp, and
ecrstands for an echo reply. Visit the IANA documentation for more information about TCP options.
length 108- The length of payload data
tcpdump is invoked with no filters, it captures all traffic and produces a huge amount of output that makes it very difficult to find and analyze the packets of interest.
Filters are one of the most powerful features of the
tcpdump command. They since they allow you to capture only those packets matching the expression. For example, when troubleshooting issues related to a webserver, you can use filters to obtain only the HTTP traffic.
tcpdump uses the Berkeley Packet Filter (BPF)
syntax to filter the captured packets using various machining parameters such as protocols, source and destination IP addresses and ports, etc.
In this article, we’ll take a look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.
Filtering by Protocol
To restrict the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic, you would run:
sudo tcpdump -n udp
Another way to define the protocol is to use the
proto qualifier, followed by the protocol number. The following command will filter the protocol number 17 and produce the same result as the one above:
sudo tcpdump -n proto 17
For more information about the numbers, check the IP protocol numbers list.
Filtering by Host
To capture only packets related to a specific host, use the
sudo tcpdump -n host 192.168.1.185
The host can be either an IP address or a name.
You can also filter the output to a given IP range using the
net qualifier. For example, to dump only packets related to
10.10.0.0/16 you would use:
sudo tcpdump -n net 10.10
Filtering by Port
To limit capture only to packets from or to a specific port, use the
port qualifier. The command below captures packets related to the SSH (port 22) service by using this command:
sudo tcpdump -n port 23
portrange qualifier allows you to capture traffic in a range of ports:
sudo tcpdump -n portrange 110-150
Filtering by Source and Destination
You can also filter packets based on the source or destination port or host using the are
src and dst, and
src or dst qualifiers.
The following command captures coming packets from a host with IP 192.168.1.185:
sudo tcpdump -n src host 192.168.1.185
To find the traffic coming from any source to port 80, you would use:
sudo tcpdump -n dst port 80
Filters can be combined using the
For example, to capture all HTTP traffic coming from a source IP address 192.168.1.185 you would use this command:
sudo tcpdump -n src 192.168.1.185 and tcp port 80
You can also use parentheses to group and create more complex filters:
sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'
To avoid parsing errors when using special characters, enclose the filters inside single quotes.
Here is another example command to capture all traffic except SSH from a source IP address 192.168.1.185:
sudo tcpdump -n src 192.168.1.185 and not dst port 22
tcpdump, captures only the packet headers. However, sometimes you may need to inspect the content of the packets.
tcpdump allows you to print the content of the packets in ASCII and HEX.
-A option tells
tcpdump to print each packet in ASCII and
-x in HEX:
sudo tcpdump -n -A
To show the packet’s contents in both HEX and ASCII use the
sudo tcpdump -n -X
Reading and Writing Captures to a File
Another useful feature of
tcpdump is to write the packets to a file. This is handy when you are capturing a large number of packets or capturing packets for later analysis.
To start writing to a file, use the
-w option followed by the output capture file:
sudo tcpdump -n -w data.pcap
This command above will save the capture to a file named
data.pcap. You can name the file as you want, but it is a common convention to use the
.pcap extension (packet capture).
-w option is used, the output is not displayed on the screen.
tcpdump writes raw packets and creates a binary file that cannot be read with a regular text editor.
To inspect the contents of the file, invoke
tcpdump with the
sudo tcpdump -r data.pcap
If you want to run
tcpdump in the background
, add the ampersand symbol (
&) at the end of the command.
The capture file can also be inspected with other packet analyzer tools such as Wireshark.
When capturing packets over a long period of time, you can enable file rotation.
tcpdump allows you to create new files and rotate the dump file on a specified time interval or fixed size. The following command will create up to ten 200MB files, named
file.pcap1, and so on: before overwriting older files.
sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap
Once ten files are generated, the older files will be overwritten.
Please note that you should only run
tcpdump only during troubleshooting issues.
If you want to start
tcpdump at a specific time, you can use a cronjob
tcpdump doesn’t have an option to exit after a given time. You can use the
command to stop
tcpdump after some time. For example, to exit after 5 minutes, you would use:
sudo timeout 300 tcpdump -n -w data.pcap
tcpdump is a command-line tool for analyzing and troubleshooting network related issues.
This article introduced you to the basics of
tcpdump usage and syntax. For more in-depth documentation, visit the tcpdump
If you have any questions or feedback, feel free to leave a comment.