tcpdump
Capture and analyze network packets from the command line with tcpdump to debug connections, inspect protocols, and diagnose traffic issues on Linux.
- tcpdump
- What tcpdump Does and When to Use It
- How to Install tcpdump
- Core Concepts of tcpdump
- tcpdump Capture Filters (BPF Syntax)
- tcpdump Output Format
- tcpdump Packet Capture Files (pcap)
- Common Tasks with tcpdump
- How to Capture All Traffic on an Interface with tcpdump
- How to Filter Traffic by Host and Port with tcpdump
- How to Save a Packet Capture to a File with tcpdump
- How to Display Packet Contents with tcpdump
- How to Capture Traffic Without Resolving Hostnames
- tcpdump Troubleshooting
- Related Tools and Guides
tcpdump
tcpdump is a command-line packet analyzer that captures network traffic on a specified interface and displays or saves packet data for protocol analysis and connection debugging on Linux, macOS, and other Unix-like systems.
What tcpdump Does and When to Use It
tcpdump intercepts packets on a network interface and prints a summary of each packet's protocol, source, destination, ports, flags, and payload size. System administrators use tcpdump to verify that traffic reaches a server, inspect DNS queries, confirm TLS handshakes, debug application-layer issues, and capture evidence for security incident analysis.
tcpdump operates at the packet level using the libpcap library. It runs directly on the server being diagnosed, which makes it indispensable when GUI-based tools like Wireshark cannot be installed. tcpdump can save captures to
.pcap files for later analysis in Wireshark.
tcpdump is not a protocol decoder for complex application-layer protocols. For deep inspection of HTTP/2, gRPC, or database wire protocols, export a pcap file and open it in Wireshark. For real-time traffic monitoring with statistics, consider
iftop or
nload. For official documentation, see
man tcpdump or
tcpdump.org.
How to Install tcpdump
=== "Ubuntu / Debian"
sudo apt install tcpdump=== "RHEL / CentOS / Fedora"
sudo dnf install tcpdumptcpdump requires root privileges (or the
CAP_NET_RAW capability) to capture packets.
Core Concepts of tcpdump
tcpdump Capture Filters (BPF Syntax)
tcpdump uses Berkeley Packet Filter (BPF) syntax to select which packets to capture. Filters reduce noise by matching specific hosts, ports, or protocols before packets reach the display engine. Common filters:
host 203.0.113.1,
port 443,
tcp,
udp,
src 10.0.0.1,
dst port 80. Filters combine with
and,
or, and
not.
tcpdump Output Format
Each line of tcpdump output shows a timestamp, source address and port, destination address and port, protocol flags, sequence numbers, and payload length. TCP flags are displayed as single characters:
S (SYN),
S. (SYN-ACK),
. (ACK),
F (FIN),
R (RST),
P (PUSH).
tcpdump Packet Capture Files (pcap)
tcpdump saves raw packet data to pcap files with the
-w flag. These files can be read back with
tcpdump -r or opened in Wireshark for graphical analysis. Limiting capture size with
-c (packet count) or
-G (time rotation) prevents disk space exhaustion.
Common Tasks with tcpdump
How to Capture All Traffic on an Interface with tcpdump
tcpdump starts capturing on a specified interface. Use
-i to select the interface:
sudo tcpdump -i eth0List available interfaces:
sudo tcpdump -DHow to Filter Traffic by Host and Port with tcpdump
tcpdump captures only packets matching the BPF filter expression. Capture HTTPS traffic to a specific host:
sudo tcpdump -i eth0 host 203.0.113.1 and port 443Capture DNS queries (UDP port 53):
sudo tcpdump -i eth0 udp port 53How to Save a Packet Capture to a File with tcpdump
tcpdump writes raw packets to a pcap file for later analysis:
sudo tcpdump -i eth0 -w /tmp/capture.pcap -c 1000The
-c 1000 flag stops after capturing 1,000 packets.
Read a saved capture:
tcpdump -r /tmp/capture.pcapHow to Display Packet Contents with tcpdump
tcpdump shows packet payloads in hex and ASCII with the
-X flag. Use
-A for ASCII-only output (useful for inspecting HTTP traffic):
sudo tcpdump -i eth0 -A port 80How to Capture Traffic Without Resolving Hostnames
tcpdump performs reverse DNS lookups on every IP by default, which slows output. Disable lookups with
-n (no hostname resolution) and
-nn (no hostname and no port name resolution):
sudo tcpdump -nn -i eth0tcpdump Troubleshooting
| Error / Symptom | Cause | Fix |
|---|---|---|
tcpdump: permission denied | tcpdump requires root or
CAP_NET_RAW capability | → Full article |
tcpdump: No suitable device found | No network interface is available or tcpdump cannot access it | → Full article |
| Output is too fast to read | High traffic volume without filters | → Full article |
| Capture file grows too large | No packet count or time limit set | → Full article |
Related Tools and Guides
ping tests basic ICMP connectivity between hosts. tcpdump captures the actual packets for deeper analysis. See the ping article.
traceroute maps the network path between hosts. tcpdump verifies that packets arrive at each hop. See the Traceroute article.
dig queries DNS records. tcpdump captures the raw DNS query and response packets on the wire. See the dig article.