tcpdump is a command-line utility that you can use to capture and inspect network traffic going to and from your system. It is the most commonly used tool among network administrators for troubleshooting network issues and security testing.
In this tutorial, we are going to discuss the uses of tcpdump command along with some examples.

1. Linux tcpdump command

The general syntax for the tcpdump command is as follows:

# tcpdump [options] [expression]
  • The command options allow you to control the behavior of the command.
  • The filter expression defines which packets will be captured.

Only root or user with sudo privileges can run tcpdump. If you try to run the command as an unprivileged user, you’ll get an error saying: “You don’t have permission to capture on that device”.
The most simple use case is to invoke tcpdump without any options and filters:

$ sudo tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:12:28.017142 IP 104.26.1.240.https > gandalf.50474: Flags [.], ack 2158647258, win 338, length 0
18:12:28.017557 IP 104.26.1.240.https > gandalf.50474: Flags [.], ack 171, win 341, length 0
18:12:28.020517 IP6 Gandalf.41918 > fe80::1.domain: 27556+ PTR? 10.1.168.192.in-addr.arpa. (43)
18:12:28.021557 IP6 fe80::1.domain > Gandalf.41918: 27556* 1/0/0 PTR gandalf. (64)
18:12:28.022342 IP6 Gandalf.46113 > fe80::1.domain: 55809+ PTR? 240.1.26.104.in-addr.arpa. (43)
..........
19 packets captured
25 packets received by filter
6 packets dropped by kernel

tcpdump will continue to capture packets and write to the standard output until it receives an interrupt signal. Use Ctrl+C key combination to send an interrupt signal and stop the command.

2. Display all the available Interfaces for tcpdump

Use -D option to display all the available interfaces for tcpdump command

~$ sudo tcpdump -D

1.wlo1 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.enp0s25 [Up]
5.bluetooth0 (Bluetooth adapter number 0)
6.nflog (Linux netfilter log (NFLOG) interface)
7.nfqueue (Linux netfilter queue (NFQUEUE) interface)
8.usbmon1 (USB bus number 1)
9.usbmon2 (USB bus number 2)
10.usbmon3 (USB bus number 3)
11.usbmon4 (USB bus number 4)

3. Capturing specific number number of packet from a specific interface

Let’s assume we want to capture 10 packets from the specific interface like wlo1, this can be easily achieved using the options -c {number} -i {interface-name}


Example:

$ sudo tcpdump -c 10 -i wlo1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:28:12.518591 IP Gandalf.59169 > mil04s23-in-f99.1e100.net.443: UDP, length 23
18:28:12.521199 IP Gandalf.40782 > dns.google.domain: 24067+ [1au] PTR? 99.23.217.172.in-addr.arpa. (55)
18:28:12.556462 IP dns.google.domain > Gandalf.40782: 24067 3/0/1 PTR mil04s23-in-f99.1e100.net., PTR mil04s23-in-f3.1e100.net., PTR fra16s45-in-f3.1e100.net. (152)
18:28:12.558229 IP Gandalf.60399 > dns.google.domain: 4084+ [1au] PTR? 10.1.168.192.in-addr.arpa. (54)
18:28:12.578570 IP mil04s23-in-f99.1e100.net.443 > Gandalf.59169: UDP, length 20
18:28:12.593243 IP dns.google.domain > Gandalf.60399: 4084 NXDomain 0/0/1 (54)
18:28:12.593699 IP Gandalf.60399 > dns.google.domain: 4084+ PTR? 10.1.168.192.in-addr.arpa. (43)
18:28:14.619139 IP server.lintut.com.https > Gandalf.39580: Flags [P.], seq 3297272538:3297272591, ack 4055648785, win 18307, options [nop,nop,TS val 1505125008 ecr 2322342088], length 53
18:28:14.619210 IP Gandalf.39580 > server.lintut.com.https: Flags [.], ack 53, win 501, options [nop,nop,TS val 2322357086 ecr 1505125008], length 0
18:28:14.619752 IP server.lintut.com.https > Gandalf.39580: Flags [P.], seq 53:84, ack 1, win 18307, options [nop,nop,TS val 1505125008 ecr 2322342088], length 31
10 packets captured
15 packets received by filter
1 packet dropped by kernel

4. Capturing packets with human readable timestamp

By default in tcpdump command output, there is no proper human readable timestamp, if you want to associate human readable timestamp to each captured packet then use -tttt option, example is shown below:

$ sudo tcpdump -c 5 -tttt -i wlo1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-04-21 18:35:53.536113 IP Gandalf.60112 > 104.26.2.165.https: Flags [.], ack 3442747550, win 8782, length 0
2020-04-21 18:35:53.537677 IP Gandalf.54140 > dns.google.domain: 31998+ [1au] PTR? 165.2.26.104.in-addr.arpa. (54)
2020-04-21 18:35:53.567977 IP 104.26.2.165.https > Gandalf.60112: Flags [.], ack 1, win 781, length 0
2020-04-21 18:35:53.572871 IP dns.google.domain > Gandalf.54140: 31998 NXDomain 0/1/1 (116)
2020-04-21 18:35:53.573197 IP Gandalf.54140 > dns.google.domain: 31998+ PTR? 165.2.26.104.in-addr.arpa. (43)
5 packets captured
10 packets received by filter
3 packets dropped by kernel

5. Capture and Save Packets in a File

As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

~$ sudo tcpdump -c 5 -w savefile.pcap -i wlo1

tcpdump: listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
11 packets received by filter
0 packets dropped by kernel

6. Read Captured Packets File

To read and analyze captured packet savefile.pcap file use the command with -r option, as shown below.

$ sudo tcpdump -r savefile.pcap 

reading from file savefile.pcap, link-type EN10MB (Ethernet)
18:40:03.392150 IP Gandalf.51158 > wo-in-f188.1e100.net.5228: Flags [.], ack 514169839, win 501, options [nop,nop,TS val 2456926781 ecr 3689984141], length 0
18:40:03.435815 IP wo-in-f188.1e100.net.5228 > Gandalf.51158: Flags [.], ack 1, win 259, options [nop,nop,TS val 3690029198 ecr 2456154548], length 0
18:40:07.488144 IP Gandalf.43728 > 151.101.129.69.https: Flags [.], ack 3630085366, win 1682, options [nop,nop,TS val 2623843655 ecr 2648832855], length 0
18:40:07.523272 IP 151.101.129.69.https > Gandalf.43728: Flags [.], ack 1, win 76, options [nop,nop,TS val 2648844119 ecr 2623434983], length 0
18:40:10.973568 IP server.lintut.com.https > Gandalf.39684: Flags [P.], seq 3942809522:3942809575, ack 2167039310, win 32038, options [nop,nop,TS val 1505841374 ecr 2323058431], length 53

7. Capture IP address Packets

Using -n option in tcpdum command we can capture only IP address packets on specific interface, example is shown below:

$ sudo tcpdump -n -i wlo1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:48:25.152151 IP 192.168.1.10.51902 > 69.173.144.136.443: Flags [.], ack 4106790352, win 62861, length 0
18:48:25.152224 IP 192.168.1.10.45636 > 185.64.189.115.443: Flags [.], ack 2485021485, win 501, options [nop,nop,TS val 988090981 ecr 2240155498], length 0
18:48:25.152241 IP 192.168.1.10.45626 > 185.64.189.115.443: Flags [.], ack 2526994591, win 501, options [nop,nop,TS val 988090981 ecr 319604631], length 0
18:48:25.186651 IP 69.173.144.136.443 > 192.168.1.10.51902: Flags [.], ack 1, win 14160, length 0

8. Capture IP address Packets

Using -n option in tcpdump command we can capture only IP address packets on specific interface:

$ sudo tcpdump -c 5 -n -i wlo1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:31:18.194276 ARP, Request who-has 192.168.1.3 tell 192.168.1.1, length 28
19:31:19.218649 ARP, Request who-has 192.168.1.3 tell 192.168.1.1, length 28
19:31:20.140771 ARP, Request who-has 192.168.1.3 tell 192.168.1.1, length 28
19:31:20.649378 ARP, Request who-has 192.168.1.10 tell 192.168.1.1, length 28
19:31:20.649441 ARP, Reply 192.168.1.10 is-at c8:f7:33:e8:d5:f5, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

9. Capture only TCP Packets

In tcpdump command we can capture only tcp packets using the tcp option

$ sudo tcpdump -c 5 -i wlo1 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:36:31.598281 IP Gandalf.59672 > sof02s32-in-f3.1e100.net.https: Flags [.], ack 2996264393, win 501, options [nop,nop,TS val 3690329646 ecr 144296723], length 0
19:36:31.657047 IP sof02s32-in-f3.1e100.net.https > Gandalf.59672: Flags [.], ack 1, win 244, options [nop,nop,TS val 144342319 ecr 3690284027], length 0
19:36:33.706281 IP server.lintut.com.https > Gandalf.39840: Flags [P.], seq 1669107981:1669108034, ack 2733452869, win 17434, options [nop,nop,TS val 1509224111 ecr 2324219355], length 53
19:36:33.706323 IP Gandalf.39840 > server.lintut.com.https: Flags [.], ack 53, win 501, options [nop,nop,TS val 2324235327 ecr 1509224111], length 0
19:36:33.706544 IP Gandalf.39840 > server.lintut.com.https: Flags [F.], seq 1, ack 53, win 501, options [nop,nop,TS val 2324235327 ecr 1509224111], length 0
5 packets captured
9 packets received by filter
0 packets dropped by kernel

10. Display Captured Packets in HEX and ASCII

The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

$ sudo tcpdump -c 5 -XX -i wlo1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:39:31.822263 IP Gandalf.59672 > sof02s32-in-f3.1e100.net.https: Flags [.], ack 2996264393, win 501, options [nop,nop,TS val 3690509870 ecr 144477420], length 0
	0x0000:  34da b782 fb30 c8f7 33e8 d5f5 0800 4500  4....0..3.....E.
	0x0010:  0034 aff7 4000 4006 72bd c0a8 010a acd9  [email protected]@.r.......
	0x0020:  a983 e918 01bb 2f2a 53c0 b297 5dc9 8010  ....../*S...]...
	0x0030:  01f5 b6e9 0000 0101 080a dbf8 b62e 089c  ................
	0x0040:  8cec                                     ..
19:39:31.824953 IP Gandalf.59676 > dns.google.domain: 9140+ [1au] PTR? 10.1.168.192.in-addr.arpa. (54)
	0x0000:  34da b782 fb30 c8f7 33e8 d5f5 0800 4500  4....0..3.....E.
	0x0010:  0052 086f 4000 4011 606a c0a8 010a 0808  [email protected]@.`j......
	0x0020:  0808 e91c 0035 003e a1c3 23b4 0100 0001  .....5.>..#.....
	0x0030:  0000 0000 0001 0231 3001 3103 3136 3803  .......10.1.168.
	0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
	0x0050:  0000 0c00 0100 0029 0200 0000 0000 0000  .......)........
19:39:31.860103 IP dns.google.domain > Gandalf.59676: 9140 NXDomain 0/0/1 (54)
	0x0000:  c8f7 33e8 d5f5 34da b782 fb30 0800 4500  ..3...4....0..E.
	0x0010:  0052 5c3e 0000 7811 149b 0808 0808 c0a8  .R\>..x.........
	0x0020:  010a 0035 e91c 003e 2140 23b4 8183 0001  ...5...>[email protected]#.....
	0x0030:  0000 0000 0001 0231 3001 3103 3136 3803  .......10.1.168.
	0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
	0x0050:  0000 0c00 0100 0029 0200 0000 0000 0000  .......)........
19:39:31.860445 IP Gandalf.59676 > dns.google.domain: 9140+ PTR? 10.1.168.192.in-addr.arpa. (43)
	0x0000:  34da b782 fb30 c8f7 33e8 d5f5 0800 4500  4....0..3.....E.
	0x0010:  0047 0876 4000 4011 606e c0a8 010a 0808  [email protected]@.`n......
	0x0020:  0808 e91c 0035 0033 a403 23b4 0100 0001  .....5.3..#.....
	0x0030:  0000 0000 0000 0231 3001 3103 3136 3803  .......10.1.168.
	0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
	0x0050:  0000 0c00 01                             .....
19:39:31.880152 IP sof02s32-in-f3.1e100.net.https > Gandalf.59672: Flags [.], ack 1, win 244, options [nop,nop,TS val 144522476 ecr 3690284027], length 0
	0x0000:  c8f7 33e8 d5f5 34da b782 fb30 0800 4500  ..3...4....0..E.
	0x0010:  0034 ff88 0000 7906 2a2c acd9 a983 c0a8  .4....y.*,......
	0x0020:  010a 01bb e918 b297 5dc9 2f2a 53c1 8010  ........]./*S...
	0x0030:  00f4 7a1f 0000 0101 080a 089d 3cec dbf5  ..z.........<...
	0x0040:  43fb                                     C.

11. Print Captured Packets in ASCII

The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

$ sudo tcpdump -c 5 -A -i wlo1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:41:54.700841 IP Gandalf.39854 > server.lintut.com.https: Flags [P.], seq 3247526468:3247526567, ack 2989138109, win 501, options [nop,nop,TS val 2324556321 ecr 1509530849], length 99
E...[[email protected]@..M...
.a./......RD.*.......X.....
...!Y.......^..........Jj."...Z%[email protected]>......wq,'X.g..}..R....k..b..M...L.G.(".5.....d8....qB....U.9..FR
19:41:54.701020 IP Gandalf.39854 > server.lintut.com.https: Flags [.], seq 99:1539, ack 1, win 501, options [nop,nop,TS val 2324556322 ecr 1509530849], length 1440
E...[[email protected]@......

12. Capture Packet from Specific Port

Using tcpdump command we can capture packet from a specific port (e.g 22) on a specific interface wlo1

$ tcpdump -i {interface-name} port {Port_Number}

13. Capture Packets from source IP

Using src keyword followed by ip address in tcpdump command we can capture the packets from a specific Source IP

$ tcpdump -n -i {interface-name} src {ip-address}

14. Capture Packets from destination IP

To capture packets from destination IP use following sintax:

$ tcpdump -n -i {interface-name} dst {IP-address}

This article may help you to explore tcpdump command in depth and also to capture and analysis packets in future. There are number of options available, you can use the options as per your requirement. Please share if you find this article useful through our comment box.