Ever felt like your computer is a black box, constantly sending and receiving data without you having a clue what’s going on? You send an email, visit a website, or stream a video, and poof – magic happens.
But what if I told you there’s a way to pull back the curtain and see the actual digital conversations happening?
Enter tcpdump.
It’s a legendary command-line tool for Linux (and other Unix-like systems) that lets you peek into the network traffic flowing through your computer.
While it sounds techy, using tcpdump effectively is a skill anyone can learn.
Let’s dive in and light up your network insights!
Table of Contents
Getting Started: The Absolute Basics (and Why Filters Are Key)
Before we jump into the examples, remember this: tcpdump without filters is like trying to find a specific person in a massive, screaming crowd. It’s overwhelming!
Our examples will primarily focus on using those crucial filters to make sense of the noise.
You’ll often need sudo before tcpdump commands because capturing network traffic requires special permissions.
Here are 10 practical tcpdump examples to get you started:
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
Example 1: See Everything Happening (The Firehose Approach)
This is your starting point, though rarely your destination. It shows you all the traffic tcpdump can see on your default network interface.
sudo tcpdump
What you’ll see: A continuous stream of packets, showing source, destination, protocol, and basic information. It’s a lot, right? This quickly shows you why we need filters!
Example 2: Watch a Specific Network Interface
Your computer might have several ways to connect to the internet (Wi-Fi, Ethernet). You might only want to watch traffic on a particular one. Use the -i flag.
First, find your interfaces using ip a or ifconfig. Common ones are eth0 (Ethernet) or wlan0 (Wi-Fi).
sudo tcpdump -i eth0
Why it’s useful: This helps you focus. If your Wi-Fi is connected to one network and Ethernet to another, you can choose which one to monitor.
Example 3: Filter Traffic for a Specific Host
This is perhaps the most common and useful filter. You want to see all traffic involving a particular IP address or hostname.
Let’s monitor traffic for Google’s public DNS server, 8.8.8.8:
sudo tcpdump host 8.8.8.8
What you’ll see: Every packet where 8.8.8.8 is either the source or the destination. Suddenly, things are much clearer!
Example 4: Only Show Traffic to a Destination Host
Sometimes you only care about packets going to a specific server, not those coming back. The dst keyword helps you narrow that down.
sudo tcpdump dst host 192.168.1.1
Why it’s useful: Great for seeing what your machine is sending to your router (often 192.168.1.1 or 192.168.0.1) without seeing all the router’s responses. Similarly, src host would show traffic originating from a specific host.
Example 5: Watch Traffic on a Specific Port
Applications use “ports” to communicate. Port 80 is for HTTP (web browsing), port 443 for HTTPS (secure web browsing), and port 22 for SSH (secure remote login).
Let’s monitor all standard web traffic (HTTP):
sudo tcpdump port 80
What you’ll see: All packets going to or coming from port 80. This is fantastic for debugging web servers or seeing unencrypted web requests.
Example 6: Combine Filters with ‘and’ for Precision
This is where tcpdump gets really powerful. You can combine multiple conditions using and, or, and not. Let’s monitor all secure web traffic (HTTPS) to example.com.
sudo tcpdump dst host example.com and port 443
Why it’s useful: You’re now seeing a very specific conversation. Only packets going to example.com and using port 443 will be displayed.
Example 7: Filter by Protocol (TCP, UDP, ICMP)
Different types of network communication use different “languages” or protocols. TCP is for reliable connections, UDP for faster, less reliable ones (like streaming), and ICMP for network diagnostic messages (like ping).
Let’s see all ping requests and responses (ICMP traffic):
sudo tcpdump icmp
What you’ll see: Any ping commands or other network error messages. Perfect for troubleshooting basic connectivity!
Example 8: Don’t Resolve Hostnames or Port Names (-n flag)
By default, tcpdump tries to convert IP addresses to human-readable hostnames (like google.com instead of 172.217.160.142) and port numbers to service names (like http instead of 80). This can slow things down and sometimes obscure the raw data.
The -n flag tells it not to do this.
sudo tcpdump -n host 8.8.8.8
Why it’s useful: For faster output, and when you specifically need to see the raw IP addresses and port numbers. This is also great for scripting.
Example 9: Save Captured Traffic to a File
Sometimes you want to capture traffic for later analysis, perhaps in a more advanced tool like Wireshark. The -w flag lets you write the raw packet data to a file.
sudo tcpdump -w my_capture.pcap host google.com and port 80
What happens: This command will run in the background, capturing traffic matching the filter, and saving it to my_capture.pcap. Press Ctrl+C to stop the capture.
To view the file later:
tcpdump -r my_capture.pcap
Why it’s useful: Essential for long-term debugging, sharing network issues with others, or using graphical tools for deep dives.
Example 10: Show Packet Contents in Hex and ASCII (-X flag)
For the truly curious, you might want to see the actual data inside the packets. The -X flag displays the packet’s payload in both hexadecimal and ASCII formats.
sudo tcpdump -X port 80
What you’ll see: After the usual packet summary, you’ll see lines of hex and ASCII data. Be warned: for encrypted traffic (like HTTPS on port 443), this data will be unreadable gibberish – that’s the encryption doing its job!
Your Network, Now Less Mysterious
There you have it! These 10 examples are your stepping stones into the world of network analysis with tcpdump. From simply seeing all traffic to pinpointing specific conversations, you now have the tools to understand what your computer is really doing.
Don’t be afraid to experiment! Try combining different filters, watch traffic to your favorite social media site, or see what happens when you load a streaming video. The more you play with tcpdump, the more intuitive it becomes.
[…] can also check the DNS server in Ubuntu using the tcpdump command. Open the terminal and type the following […]