🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Home » Learn » Linux Commands » tcpdump

tcpdump Command

Advanced Networking man(1)

Capture and analyze network traffic

👁 11 views 📅 Updated: Mar 15, 2026
SYNTAX
tcpdump [OPTION]... [EXPRESSION]

What Does tcpdump Do?

tcpdump captures and displays network packets in real time. It is the most widely used command-line packet analyzer, essential for network troubleshooting, protocol analysis, and security monitoring.

tcpdump captures raw packets from network interfaces and can filter by protocol, port, host, and many other criteria. Captures can be saved to .pcap files for later analysis with Wireshark.

tcpdump requires root privileges because it puts the network interface into promiscuous mode. It is one of the most powerful networking debugging tools available.

Options & Flags

OptionDescriptionExample
-i Capture on specific interface sudo tcpdump -i eth0
-n Do not resolve hostnames sudo tcpdump -n
-c Capture N packets then stop sudo tcpdump -c 100
-w Write to pcap file sudo tcpdump -w capture.pcap
-r Read from pcap file tcpdump -r capture.pcap
-A Print packet content as ASCII sudo tcpdump -A port 80
port Filter by port sudo tcpdump port 443
host Filter by host sudo tcpdump host 10.0.0.1

Practical Examples

#1 Capture HTTP traffic

Captures 50 packets on port 80 without DNS resolution.
$ sudo tcpdump -n port 80 -c 50

#2 Capture from specific host

Shows all traffic to/from a specific IP.
$ sudo tcpdump -n host 192.168.1.100

#3 Save to file

Captures 1000 packets and saves for analysis in Wireshark.
$ sudo tcpdump -w /tmp/capture.pcap -c 1000

#4 DNS queries

Captures DNS query and response packets.
$ sudo tcpdump -n port 53

#5 HTTP content

Shows HTTP request methods and hosts in ASCII.
$ sudo tcpdump -A -n port 80 | grep -i "GET\|POST\|Host"

#6 Specific interface

Captures PostgreSQL traffic on all interfaces.
$ sudo tcpdump -i any -n port 5432

Tips & Best Practices

Capture and analyze later: sudo tcpdump -w file.pcap captures packets. Open file.pcap in Wireshark for detailed graphical analysis.
Can capture sensitive data: tcpdump can capture passwords, tokens, and other sensitive data in unencrypted traffic. Handle captures securely.
BPF filter syntax: Combine filters: tcpdump 'host 10.0.0.1 and port 443'. Use and, or, not for complex expressions.

Frequently Asked Questions

How do I capture network traffic?
sudo tcpdump -i any -n -c 100 captures 100 packets on all interfaces. Add port or host filters.
How do I save a capture for Wireshark?
sudo tcpdump -w capture.pcap. Open the .pcap file in Wireshark for graphical analysis.
How do I filter by port?
sudo tcpdump port 80 captures only port 80 traffic. Combine: sudo tcpdump 'port 80 or port 443'.

Related Commands

curl

Transfer data from or to a server using various protocols

 nc

Networking utility for reading/writing across network connec

 nmap

Network exploration tool and security scanner

 ss

Show socket statistics (modern replacement for netstat)

More Networking Commands

arp

Manipulate the ARP cache

 curl

Transfer data from or to a server using various protocols

 dig

DNS lookup utility for querying name servers

 ethtool

Display or change ethernet device settings

 host

DNS lookup utility (simple)

 ifconfig

Configure or display network interface parameters (legacy)

 ip

Show and manipulate network interfaces, routing, and tunnels

 ip route

Show and manipulate the routing table

 mtr

Combine ping and traceroute in a single network diagnostic t

 nc

Networking utility for reading/writing across network connec

 netstat

Print network connections, routing tables, and stats (legacy

 nmap

Network exploration tool and security scanner
taskset Command 📋 All Commands tee Command →

Master Linux with Professional eBooks

Curated IT eBooks covering Linux, DevOps, Cloud, and more

Browse Books →