TCPDump

tcpdump is a command-line packet analyzer for capturing and inspecting live network traffic. Essential for network troubleshooting and security work.

Source

• A tcpdump Tutorial with Examples — Daniel Miessler (150+ examples)
• tcpdump tutorial (blog)

Basic syntax

tcpdump [options] [expression]

• options — interface, verbosity, output format, write to file
• expression — filter by host, port, protocol, flags, etc.

Common captures

# List interfaces
tcpdump -D

# All traffic on an interface
tcpdump -i eth0

# Host filter
tcpdump host 192.168.1.100

# Port filter
tcpdump port 80

# Combine filters
tcpdump host 192.168.1.100 and port 80
tcpdump src host 192.168.1.100 and \( port 80 or port 443 \)

# Protocol only
tcpdump tcp
tcpdump udp

Useful options

Flag	Purpose
-i eth0	Select interface (any for all)
-n / -nn	No DNS / no port-name resolution
-c 100	Stop after N packets
-v / -vv / -vvv	More verbose output
-s 0	Full packet snap length
-w file.pcap	Write capture to file
-r file.pcap	Read capture from file
-X / -XX	Hex (+ ASCII) dump; -XX includes Ethernet header
-tttt	Human-readable timestamps

TCP flag filters

# SYN packets
tcpdump 'tcp[13] & 2 != 0'

# SYN or ACK
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

Everyday combo

tcpdump -i eth0 -nnvvS -c 50 'tcp port 443'

Press Ctrl+C to stop a live capture.

Related

• Networking section