The tcpdump command can be used to capture network traffic on a Linux system. It’s a versatile command line utility that network administrators often rely on for troubleshooting.
What you’ll come to find is that the amount of networking traffic captured on an interface can be easily overwhelming. tcmpdump makes our job a little easier by allowing us to isolate only the traffic we’re interested in. Of course, in order to do this, you need to be familiar with the various flags and settings that go along with the command.
In this guide, you’ll see how to use tcpdump through examples and explanations. Follow along on your own system if you want to learn to capture network traffic and master the tcpdump command.
In this tutorial you will learn:
- How to install tcpdump on major Linux distros
- tcpdump command examples
- How to filter tcpdump traffic by port, protocol, source, and destination
- How to write tcpdump captures to file
- How to interpret tcpdump command output
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | tcpdump |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Install tcpdump on major Linux distros
There’s a good chance that your Linux distro already has tcpdump installed by default, especially if you’re running a distro geared towards servers. Just in case it’s not already installed, you can use the appropriate command below to install it through your system’s package manager.
To install tcpdump on Ubuntu, Debian, and Linux Mint:
$ sudo apt install tcpdump
To install tcpdump on CentOS, Fedora, AlmaLinux, and Red Hat:
$ sudo dnf install tcpdump
To install tcpdump on Arch Linux and Manjaro:
$ sudo pacman -S tcpdump
tcpdump command examples
All of your
tcpdump commands must be executed with the root user account or with sudo. The utility requires administrator privileges in order to run.The most simple form of the command is to use the utility with no extra options, like this:
# tcpdump
If you don’t specify which network interface you’d like to capture traffic from, like in the above command, then tcpdump will choose an interface for you.
It will continue “dumping” the captured traffic to your terminal until you interrupt the command. The easiest way to do this is with Ctrl + c.
If you have more than one network interface, then it’ll be best to specify which interface you’re trying to capture traffic on, since tcpdump may not choose the one you want by default. Use the -D option to print a list of network interfaces that tcpdump can use.
# tcpdump -D 1.enp0s3 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.bluetooth-monitor (Bluetooth Linux Monitor) [none] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
We have a few different interfaces that we can use. Alternatively, we have the any option available that will let us capture traffic on all network interfaces simultaneously. If we want to capture network traffic on the enp0s3 interface, we would use the following command syntax.
# tcpdump -i enp0s3
You can use the -v option to increase the verbosity of the output, or -vv and -vvv to increase it even further.
# tcpdump -i enp0s3 -vv
If you don’t want tcpdump to endlessly output data to your terminal, you can use the -c option to specify how many packets you’d like the utility to capture. tcpdump will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.
# tcpdump -c 15
If you don’t want tcpdump to perform DNS resolution on the network addresses in the output, you can use the -n option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.
# tcpdump -n
If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump output with the usual > and >> operators.
# tcpdump > traffic.txt
Another option is to write the network capture to file. These files usually have the .pcap file extension, and can’t be read by an ordinary text editor.
# tcpdump -n -w traffic.pcap
To open the file for later analysis, use the -r option and the name of your file.
# tcpdump -r traffic.pcap
Interpret tcpdump command output
Each packet that tcpdump captures is written as an individual line. One of those lines will look something like this:
14:21:46.134249 IP 10.0.2.15.54000 > 104.16.168.35.443: Flags [.], ack 2915, win 63000, length 0
Here’s how to interpret that line of data:
14:21:46.134249– Timestamp of when the packet was captured.IP 10.0.2.15.54000– IP and port number of the source host.104.16.168.35.443– IP and port number of the destination host.Flags [.]– TCP flags (SYN, ACK, PSH, etc).[.]means ACK.ack 2915– The acknowledgment number.win 63000– The window number (bytes in receiving buffer).length 0– The length of the payload data.
Filter tcpdump traffic
One of the best features of tcpdump is that we can filter out exactly the traffic we want to see. Without filtering out traffic by adapter (as seen above), port number, and packet protocol, the amount of captured traffic can quickly become overwhelming and nearly impossible to sift through.
Despite the name tcpdump, we can use the tool to filter out all kinds of traffic, not just TCP. For example, use the following syntax to filter out traffic that uses UDP.
# tcpdump -n udp
Or the following example that filters out ICMP:
# tcpdump -n icmp
You can also use the corresponding protocol number to filter out a specific protocol. For example, ICMP is protocol number 1, so the following syntax will do the same as the previous example.
# tcpdump -n proto 1
To see a full list of networking protocols and their corresponding numbers, check out the list of IP protocol numbers on Wikipedia.
To filter traffic with a specific destination or source IP address, we can use the host qualifer with the -n option. For example, to filter traffic related to the host at IP address 10.10.150.20:
# tcpdump -n host 10.10.150.20
Alternatively, use the net qualifer if you want to filter out traffic to or from an entire network. For example, the following command will filter traffic related to the 192.168.1.0/24 network.
# tcpdump -n net 192.168.1
Use the port and portrange qualifiers to filter out packets related to a specific port or port range, respectively. For example, the following command will filter our traffic related to port 80 (HTTP).
# tcpdump -n port 80
Or, to filter traffic from ports 20-30, the following command would be used.
# tcpdump -n portrange 20-30
Add the dst, src, src and dst, and src or dst qualifiers if you want to filter based on the source and/or destination address or port of the packets. For example, the following command will filter out packets that have a source IP address of 10.10.150.20.
# tcpdump -n src host 10.10.150.20
Or in this example, we filter out packets that are destined for the SSH port (port 22).
# tcpdump -n dst port 22
Combining filters
We can combine these various filters covered above by using the and (&&), or (||), and not (!) operators in our tcpdump command.
For example, the following command will capture traffic that’s destined for 10.10.150.20 on port 80 (HTTP).
# tcpdump -n dst host 10.10.150.20 and tcp port 80
Or create even more granular filters by further combining rules inside parentheses. For example, this command will do the same as the previous, but also capture port 443 (HTTPS).
# tcpdump -n 'dst host 10.10.150.20 and (tcp port 80 or tcp port 443)'
Closing Thoughts
In this guide, we saw how to use the tcpdump command line utility to capture network traffic on a Linux system. As we’ve seen in this tutorial, the command can get rather complex and accept very granular input, which allows us to filter out the exact traffic we want to see.
