You’ve dipped your toes into tcpdump, maybe caught a few web packets or seen your router chatting away.
That’s a great start! But what if you need to go deeper? What if you’re chasing a phantom network issue, analyzing application behavior, or just really curious about the intricate dance of data?
tcpdump is an incredibly powerful tool, and its filtering capabilities are truly a superpower for anyone working with networks.
It allows you to isolate traffic with surgical precision, turning a chaotic stream of data into a crystal-clear conversation.
In this guide, we’re going beyond the fundamentals. We’ll explore 20 advanced tcpdump examples that will transform you from a network observer to a network detective.
We’ll cover everything from precise time-based captures to intricate TCP flag analysis, and even how to handle multiple interfaces and protocols.
Let’s gear up and unlock the full potential of tcpdump!
Table of Contents
A Quick Recap & Why You Need These Advanced Skills
Just a reminder: tcpdump captures network packets. These packets are like tiny digital envelopes, each containing pieces of information about where they came from, where they’re going, and what they’re carrying. Understanding how to filter these envelopes is crucial.
The data tcpdump captures can be displayed directly on your screen, but it’s often more useful to save it to a file with a .pcap extension. These “pcap” files are universally readable by tools like Wireshark, which gives you a beautiful graphical interface for deep-dive analysis.
Alright, let’s supercharge your tcpdump game!
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
The 20 Advanced tcpdump Examples You Need to Know
We’ll start with general powerful options, then dive into specific filtering techniques.
1. Capturing on All Interfaces (The Broad View)
Sometimes you don’t know which network connection is carrying the traffic you need. The any interface special keyword captures from all active interfaces.
sudo tcpdump -i any
Why it’s useful: A lifesaver when you’re unsure where the traffic is flowing, or if you’re monitoring a multi-homed server.
2. Capturing Traffic for Multiple Protocols (Broadening Your Scope)
Need to monitor two different types of service traffic at once? You can chain protocols with or.
Let’s look for both SSH (port 22) and DHCP (often used for IP address assignment) traffic.
sudo tcpdump -i eth0 'ssh or dhcp'
Why it’s useful: Quickly see if a client is trying to get an IP address or trying to connect via SSH. The single quotes are important for grouping the or condition.
3. Capturing Only UDP Traffic (Focusing on Unreliable Streams)
UDP is a “connectionless” protocol often used for speed, like DNS queries, streaming video, or gaming.
sudo tcpdump -i eth0 udp
Why it’s useful: If you’re debugging DNS issues or real-time application problems, isolating UDP traffic is key.
4. Capturing Traffic on Multiple Ports (Monitoring Related Services)
Similar to protocols, you might want to watch traffic on several specific ports that relate to a single application or set of services.
Let’s watch both SSH (port 22) and DNS (port 53) traffic.
sudo tcpdump -i eth0 'port 22 or port 53'
Why it’s useful: Essential for monitoring application stacks that use several different ports for communication.
5. Capturing Traffic from Multiple Hosts (Tracking Multiple Sources)
If you’re monitoring a cluster of servers or specific client machines, you can watch traffic originating from any of them.
sudo tcpdump -i eth0 'src host 192.168.0.10 or src host 192.168.0.20'
Why it’s useful: Great for checking traffic from specific clients or servers involved in a particular transaction.
6. Capturing Traffic within a Port Range (Catching a Group of Services)
Sometimes applications use a range of ports, or you want to see all traffic within a certain, common range (like ephemeral ports).
sudo tcpdump portrange 21-23
Why it’s useful: This would capture FTP control (21), SSH (22), and Telnet (23) traffic. Handy if you know the general area of ports an application is using.
7. Capturing Traffic Based on Packet Size (Filtering for Anomalies)
Packet size can sometimes indicate specific types of traffic or even issues. You can filter for packets less than, greater than, or equal to a certain size.
- Packets smaller than 32 bytes:
sudo tcpdump less 32 - Packets larger than 64 bytes:
sudo tcpdump greater 64 - Packets less than or equal to 128 bytes:
sudo tcpdump <= 128
Why it’s useful: Tiny packets might indicate something like keep-alives or certain control messages. Very large packets might be data transfers or something unusual.
8. Capturing Traffic from a Source IP to a Specific Destination Port
This is a very common scenario: you know a specific machine is sending data, and you want to see if it’s hitting a particular service port on a destination.
sudo tcpdump -i eth0 'src host 10.5.2.3 and dst port 3389'
Why it’s useful: Perfect for troubleshooting remote desktop (RDP uses port 3389) or database connections. You can confirm if the source is attempting to connect to the correct service.
9. Capturing Traffic from a Host Not on a Specific Port (Excluding Noise)
Sometimes you want to see all traffic from a host except for a very noisy service, like SSH or a continuous ping.
sudo tcpdump -i eth0 -vv 'src host mars and not dst port 22'
Why it’s useful: This command captures all traffic from a host named mars but specifically excludes any outgoing SSH connections (port 22). The -vv flag adds extra verbosity, giving you more detail about each packet.
Mastering TCP Flags: Understanding Connection States
TCP (Transmission Control Protocol) is what makes internet connections reliable. It uses special “flags” in the packet header to manage connections – setting them up, tearing them down, and acknowledging data. Analyzing these flags is crucial for diagnosing connection issues.
The TCP flags are located at a specific byte offset in the TCP header. We can use tcp[13] to refer to this byte for filtering. Let’s look at how to isolate individual flags.
10. Isolate TCP RST Flags (Connection Reset)
A RST (Reset) flag usually means a connection was abruptly terminated.
sudo tcpdump 'tcp[13] & 4!=0'
# Or using the more readable shorthand:
sudo tcpdump 'tcp[tcpflags] == tcp-rst'
Why it’s useful: Frequent RST packets can indicate a server refusing connections, a firewall blocking traffic, or an application crashing.
11. Isolate TCP SYN Flags (Connection Initiation)
The SYN (Synchronize) flag is the first step in establishing a TCP connection (the “handshake”).
sudo tcpdump 'tcp[13] & 2!=0'
# Or:
sudo tcpdump 'tcp[tcpflags] == tcp-syn'
Why it’s useful: If you’re not seeing SYN packets, your client isn’t even trying to initiate a connection. If you see many SYNs but no SYN-ACKs (next example), the server isn’t responding.
12. Isolate Packets with Both SYN and ACK Flags Set (Connection Acknowledgment)
The SYN-ACK flag is the server’s response to a SYN, indicating it received the connection request and is ready to proceed.
sudo tcpdump 'tcp[13]=18'
# This combines SYN (2) and ACK (16)
Why it’s useful: This is the crucial second step of the TCP handshake. If you see SYNs but no SYN-ACKs, the server might be down, or a firewall is blocking its response.
13. Isolate TCP URG Flags (Urgent Data)
The URG (Urgent) flag indicates that certain data within the packet is urgent and should be processed immediately. It’s less commonly used in modern applications.
sudo tcpdump 'tcp[13] & 32!=0'
# Or:
sudo tcpdump 'tcp[tcpflags] == tcp-urg'
Why it’s useful: While rare, if you see URG flags, it might point to a specific, perhaps legacy, application behavior.
14. Isolate TCP ACK Flags (Data Acknowledgment)
The ACK (Acknowledge) flag confirms that data has been received. It’s a fundamental part of TCP’s reliability.
sudo tcpdump 'tcp[13] & 16!=0'
# Or:
sudo tcpdump 'tcp[tcpflags] == tcp-ack'
Why it’s useful: ACKs are everywhere! Filtering for them alone can be noisy, but combined with other filters, they confirm successful data transfer.
15. Isolate TCP PSH Flags (Push Data Immediately)
The PSH (Push) flag tells the receiving application to “push” the buffered data up to the application immediately, without waiting for the buffer to fill.
sudo tcpdump 'tcp[13] & 8!=0'
# Or:
sudo tcpdump 'tcp[tcpflags] == tcp-push'
Why it’s useful: Often seen when an application has finished sending a chunk of data (like a web page) and wants the client to process it right away.
16. Isolate TCP FIN Flags (Graceful Connection Termination)
The FIN (Finish) flag is used to gracefully close a TCP connection.
sudo tcpdump 'tcp[13] & 1!=0'
# Or:
sudo tcpdump 'tcp[tcpflags] == tcp-fin'
Why it’s useful: If connections are dropping without FIN flags, it might indicate an abnormal termination, like a crash or a network interruption.
Advanced Time-Based Captures (Managing Your Data)
For long-running captures, you don’t want a single, massive file. tcpdump allows you to rotate capture files based on time or size.
17. Rotate Dump Files by Time Interval
Use -G {seconds} to rotate the capture file every x seconds. This creates multiple .pcap files, usually with a timestamp in their name.
sudo tcpdump -G 15 -W 1 -w /var/log/tcpdump/myfile -i eth0 'port 8080'
Explanation:
G 15: Rotate the file every 15 seconds.W 1: Keep only 1 file at a time (it will overwrite the oldest). If you set this higher, likeW 5, it would keep 5 files before overwriting.w /var/log/tcpdump/myfile: Base name for the output files.tcpdumpwill append timestamps.i eth0 'port 8080': Our usual filters for interface and port.
Why it’s useful: Prevents single huge files, making analysis more manageable. Great for monitoring long-term application behavior.
18. Capture for a Fixed Duration (with timeout)
Sometimes you only need to capture for a specific total time. You can combine tcpdump with the timeout command.
timeout 5400 sudo tcpdump -i eth0 'port 8080' -w /var/log/tcpdump/myfile.pcap
Explanation:
timeout 5400: Thetcpdumpcommand will automatically terminate after 5400 seconds (90 minutes).- The rest is a standard
tcpdumpcommand, saving to a single file.
Why it’s useful: Set and forget! Ideal for capturing a specific event window or for automated diagnostics.
Peeking Inside: Deep Packet Inspection (Careful, It’s Complex!)
These filters are for examining the actual bytes within a packet, which requires knowledge of protocol structures.
19. Filtering Based on Byte Values (The Deep Dive)
The syntax proto[x:y] lets you examine y bytes starting at offset x within a specific protocol header.
proto[x:y] = z: Exact match of the bytes.proto[x:y] & z = 0: Matches if no bits inproto[x:y]are set when compared with maskz.proto[x:y] & z != 0: Matches if any bits inproto[x:y]are set when compared with maskz.proto[x:y] & z = z: Matches if all bits inproto[x:y]are set when compared with maskz.
Example: Check the IP header’s “Time-to-Live” (TTL) field. TTL is at offset 8 in the IP header.
sudo tcpdump 'ip[8] = 64'
Why it’s useful: This is for advanced troubleshooting, security analysis, or custom protocol debugging where you need to inspect non-standard header fields or specific data patterns within the packet payload.
Wrapping Up: Your Network, Your Control
Congratulations! You’ve just equipped yourself with 20 advanced tcpdump examples, covering a wide range of scenarios from simple host and port filtering to complex TCP flag analysis and time-based captures.
tcpdump is an indispensable tool in any Linux user’s arsenal. While it can seem daunting at first, breaking it down into these examples makes it approachable and incredibly powerful. Remember to practice, combine filters, and always be curious about what your network is doing.
Related Post:
