tcpdump – CLI Packet Capture

What is tcpdump?

Definition: tcpdump is a powerful command-line packet analyzer for Unix/Linux systems. It allows network administrators and security professionals to capture and inspect network traffic for real-time troubleshooting and deep protocol analysis.

Purpose & Role in Network Analysis

  • Diagnose connectivity issues
  • Identify abnormal or malicious activity
  • Verify network configurations and protocol operations
  • Analyze protocol behavior and performance

Basic tcpdump Usage

Syntax: tcpdump [options] [filter_expression]
Capture on an interface: 
sudo tcpdump -i eth0
Tip: Use sudo for root privileges, which are usually required.

Filtering Captures (Focus Traffic)

PurposeCommand Example
By hostsudo tcpdump host 192.168.1.5
By portsudo tcpdump port 80
By protocolsudo tcpdump icmp
Combined filtersudo tcpdump tcp and port 22 and host 10.0.0.5

Capture File Management

  • Write to file (PCAP format): sudo tcpdump -i eth0 -w capture.pcap (view later in Wireshark)
  • Read from file: tcpdump -r capture.pcap

Output & Display Options

OptionDescription
-v, -vv, -vvvIncrease output verbosity (more protocol details)
-XPrint packets in hex + ASCII for deep inspection
-c [num]Capture [num] packets then stop (e.g., -c 50)
timeoutCapture for a time limit (e.g., timeout 60s tcpdump -i eth0)

Common Protocols & Ports

Protocol/Porttcpdump Filter Example
TCPtcpdump tcp
UDPtcpdump udp
ICMPtcpdump icmp
ARPtcpdump arp
DNS (port 53)tcpdump port 53

Integrating with Other Tools

  • Open .pcap files in Wireshark for graphical analysis
  • Filter output with grep: sudo tcpdump -i eth0 | grep "192.168.1.5"

Security & Permissions

  • Root privileges required for most interfaces
  • Only capture on networks where you are authorized!
  • Data may include sensitive information—respect privacy and legal regulations

Advanced Filtering Expressions

Combine boolean operators (and, or, not):

sudo tcpdump 'src net 192.168.1.0/24 and not dst port 22'
Tip: Use single quotes for complex filters on the CLI.

Best Practices

  • Use filters to minimize capture size and system impact
  • Document each capture’s purpose, time, and filter
  • For long captures, use file rotation (-C for size, -G for time)

Example Scenarios

  1. Verify HTTP Traffic: sudo tcpdump -i eth0 port 80
  2. Capture all ICMP (for ping troubleshooting): sudo tcpdump -i eth0 icmp
  3. Write to file, analyze later:
    • sudo tcpdump -i eth0 -w web_traffic.pcap
    • Later: tcpdump -r web_traffic.pcap

Hands-On tcpdump Practice Tasks

TaskExample CommandGoal
Capture all traffic on interface eth0 for 30 seconds sudo timeout 30s tcpdump -i eth0 Observe live packet flow
Filter by source IP address sudo tcpdump -i eth0 src host 192.168.1.100 See only traffic from one host
Capture only HTTP (port 80) traffic sudo tcpdump -i eth0 port 80 Inspect web packets
Save 100 packets to a file & read it later sudo tcpdump -i eth0 -c 100 -w sample.pcap
tcpdump -r sample.pcap		 Work with .pcap files
View packet contents in hex and ASCII sudo tcpdump -X -i eth0 Protocol headers and data
Monitor DNS requests and responses sudo tcpdump -i eth0 port 53 Watch DNS troubleshooting
Advanced: ICMP except a host sudo tcpdump 'icmp and not host 10.1.1.1' Exclude noisy/irrelevant hosts

tcpdump “Gotchas” for Exam and Real Networks

  • If you see “permission denied,” use sudo
  • Find your interface: tcpdump -D
  • Always filter where possible to avoid overload
  • Add -X for payload details; use -vvv for more protocol info
  • For long sessions, rotate files (-C for MB, -G for seconds)
  • Never capture traffic without proper authorization

Summary Table: tcpdump Command Options

OptionFunctionExample
-iSelect interface-i eth0
-wWrite to .pcap file-w capture.pcap
-rRead from file-r capture.pcap
-cPacket count limit-c 50
-XShow packet data (hex+ASCII)-X
-v, -vv, -vvvIncrease verbosity-vvv
timeoutSet time limittimeout 60s ...
-C, -GFile rotation (size/time)-C 10 -G 60

Exam Tips & Key Points

  • Know basic syntax, filters, file operations, and permissions
  • Always explain legal/ethical aspects in answers
  • Mention Wireshark for advanced/graphical analysis
  • Be ready to describe troubleshooting scenarios

tcpdump – CLI Packet Capture Quiz

1. What is tcpdump primarily used for?

Correct answer is C. tcpdump is a command-line tool used to capture and analyze network traffic.

2. Which command captures packets on the eth0 interface?

Correct answer is A. The -i option specifies the interface, with sudo often needed for permissions.

3. How do you capture only HTTP traffic (port 80) using tcpdump?

Correct answer is D. Filtering by port 80 captures HTTP traffic; sudo is used for permissions.

4. Which option writes captured packets to a file for later analysis?

Correct answer is B. The -w option saves the capture to a file in PCAP format.

5. How do you read packets from a previously saved capture file?

Correct answer is C. The -r option reads packets from a saved capture file.

6. Which tcpdump flag increases verbosity and shows packet contents in hex and ASCII?

Correct answer is D. The -X option prints packet contents in hex and ASCII.

7. How can you limit tcpdump to capture only 50 packets?

Correct answer is A. The -c option limits capture to 50 packets.

8. Which filter captures all ICMP packets except those involving host 10.1.1.1?

Correct answer is B. This filter captures ICMP except involving the specified host.

9. What is required to run tcpdump on most systems?

Correct answer is C. Root or admin privileges are usually required to capture packets.

10. Which of the following is a best practice when using tcpdump?

Correct answer is D. Filtering captures reduces resource use and protects privacy and legality.

← Back to Home