10 Useful tcpdump command examples

Updated: Feb 15

In this tutorial, we will learn 10 useful Linux tcpdump command examples and tcpdump command options to analyze the traffic flow on a Linux machine.


Capture traffic on specific interface ( -i)

-i any means all the interfaces.

$  tcpdump -i ens160 
$  tcpdump -i any

Capture ip host-specific packets ( host filter/ip filter )

$  tcpdump -i ens160 -c 5  host 140.240.61.21

Capture packets on a specific port ( port)

$  tcpdump -i any port 8000


Write packets to a file ( -w )

$  tcpdump -c 5 -w network_file_linux.pcap -i any

Capture packets from a specific protocol 

$  tcpdump -i ens160 -c 5 -nn tcp

Filter tcpdump packets from specific source & dest host

$  tcpdump src 100.10.8.121
$  tcpdump dst 14.211.62.121

Rotate tcpdump packets 

$ tcpdump -i ens160 -w /tmp/network-%H-%M.pcap -W 48 -G 300 -C 100

-C file_size (M) -G rotate_seconds -W filecount 

tcpdump -G 100 -W 3 -w network-%H-%M.pcap port 19096
  1 root  wheel   384881 Feb 13 17:09 network-17-08.pcap
  1 root  wheel  2096619 Feb 13 17:11 network-17-09.pcap
  1 root  wheel   320744 Feb 13 17:13 network-17-11.pcap


Capture Multiple hosts with tcpdump

$ tcpdump src 192.168.0.10 or src 192.168.0.10

Filter Multiple ports with tcpdump

$ tcpdump -i eth0 port 22 or port 9402

Filter Multiple interfaces

$ tcpdump -i any
$ tcpdump -i eth0 arp or icmp and host 192.168.0.10

Tcpdump command options summary

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

  • -i <interface>: Listen on the specified interface.

  • -n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.

  • -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.

  • -X: Show the packet’s contents in both hex and ascii.

  • -v, -vv, -vvv: Increase the amount of packet information you get back.

  • -c N: Only get N number of packets and then stop.

  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

  • -S: Print absolute sequence numbers.

  • -q: Show less protocol information.

  • -w <file name>: Write the raw packets to file rather

  • -C file_size(M)

  • -G rotate_seconds

Related Post:

Learn tcpdump Quick Guide

20 Advanced Tcpdump Examples On Linux

Linux Tcpdump: Filter ipv6 ntp ping packets


376 views

Join our mail group. Get a free Linux account on Cloud.

Never miss a post!

Want a free Linux account?  This account can be used to login to our cloud server and practice Linux commands.

 
kamateravps.gif
topbackgroud.png

✔ Linux Commands   ✔ Linux Skills    ✔ LinuxPerformance   ✔ Linux Interview

Some articles are from the public internet. If you find your article misused or undesired here and you don't want us to display it, please let us know and we'll remove it immediately.