Tcpdump: Write to a File for Network Analysis

Tcpdump is a robust, open-source network packet analyzer that operates directly from the command line interface.

It’s designed to intercept and display TCP/IP and other packets being transmitted or received over a network attached to the computer on which it is running.

Installing Tcpdump

Tcpdump is often pre-installed on many Linux distributions. If not, installation is straightforward:

sudo apt-get update           # For Debian/Ubuntu-based systems
sudo apt-get install tcpdump  # For Debian/Ubuntu-based systems

sudo yum install tcpdump      # For CentOS/RHEL-based systems
sudo dnf install tcpdump      # For modern Fedora/RHEL-based systems

sudo pacman -S tcpdump        # For Arch Linux-based systems

Note: Running tcpdump typically requires root privileges (using sudo) because it needs direct access to network interfaces.

Basic Command Structure

The general syntax for tcpdump is:

tcpdump [options] [filter_expression]
  • [options]: These modify how tcpdump behaves (e.g., which interface to listen on, how many packets to capture).
  • [filter_expression]: These tell tcpdump what traffic to capture (e.g., only traffic to a specific port, from a specific host). Without a filter, tcpdump will attempt to capture all traffic on the selected interface.

Writing Captured Packets to a File: The w Option

The core of this article lies in the -w option, which instructs tcpdump to write the raw packet data to a specified file.

sudo tcpdump -i eth0 -w network_traffic.pcap
  • i eth0: Specifies the network interface to listen on. Replace eth0 with the actual interface name on your system (e.g., enp0s3, wlan0, lo). You can find your interface names using ip a or ifconfig.
  • w network_traffic.pcap: Tells tcpdump to write all captured packets to a file named network_traffic.pcap in the current directory. The .pcap extension is a standard convention for packet capture files.

This command will continuously capture all packets on the eth0 interface and save them. To stop the capture, simply press Ctrl+C.

Example: Capturing HTTP traffic to a file

sudo tcpdump -i eth0 'port 80 or port 443' -w web_traffic.pcap

This captures traffic destined for or originating from standard HTTP (port 80) and HTTPS (port 443) services.

Filtering Traffic: Precision Capture

Capturing all traffic can quickly generate very large files and make analysis cumbersome. Tcpdump’s powerful filtering capabilities allow you to focus on exactly what you need. Filters are specified using Berkeley Packet Filter (BPF) syntax.

See also: Mastering the Linux Command Line — Your Complete Free Training Guide

Common Filter Primitives:

  • host <IP_ADDRESS>: Captures traffic to or from a specific IP address.
    • sudo tcpdump -i eth0 host 192.168.1.100 -w host_traffic.pcap
  • src host <IP_ADDRESS>: Captures traffic from a specific IP address.
  • dst host <IP_ADDRESS>: Captures traffic to a specific IP address.
  • port <PORT_NUMBER>: Captures traffic to or from a specific port.
    • sudo tcpdump -i eth0 port 22 -w ssh_traffic.pcap
  • src port <PORT_NUMBER>: Captures traffic from a specific source port.
  • dst port <PORT_NUMBER>: Captures traffic to a specific destination port.
  • net <NETWORK/CIDR>: Captures traffic to or from a specific network range.
    • sudo tcpdump -i eth0 net 192.168.1.0/24 -w local_net.pcap
  • proto <PROTOCOL>: Captures traffic of a specific protocol (e.g., tcp, udp, icmp).
    • sudo tcpdump -i eth0 icmp -w ping_traffic.pcap

Combining Filters (Logical Operators):

  • and (or &&): Both conditions must be true.
    • sudo tcpdump -i eth0 'host 192.168.1.100 and port 22' -w specific_ssh.pcap
  • or (or ||): At least one condition must be true.
    • sudo tcpdump -i eth0 'port 80 or port 443' -w web_traffic.pcap
  • not (or !): Negates a condition.
    • sudo tcpdump -i eth0 'not host 192.168.1.1' -w no_router.pcap (Excludes traffic to/from your router)

Important: When using logical operators or complex filters, it’s crucial to enclose the entire filter expression in single quotes to prevent the shell from interpreting special characters.

Reading and Analyzing Captured Data

Once you have a .pcap file, you can read its contents using tcpdump itself or more advanced tools.

Reading with Tcpdump

To display the contents of a pcap file using tcpdump, use the -r option:

tcpdump -r network_traffic.pcap

This will display the captured packets in a human-readable format, similar to a live capture. You can combine -r with other options for more refined viewing:

tcpdump -r network_traffic.pcap -n # Don't resolve hostnames/port numbers
tcpdump -r network_traffic.pcap 'host 192.168.1.5' # Apply a filter when reading

Analyzing with Wireshark

For comprehensive graphical analysis, Wireshark is the industry standard. It can open any .pcap file generated by tcpdump, offering features such as:

  • Intuitive GUI: Easy navigation, filtering, and packet dissection.
  • Deep Protocol Inspection: Decodes hundreds of protocols, showing header and payload details.
  • Statistical Analysis: Provides graphs and summaries of network activity.
  • Follow TCP Stream: Reconstructs full conversations for application-level understanding.

If you don’t have Wireshark, install it:

sudo apt-get install wireshark # Debian/Ubuntu
sudo yum install wireshark     # CentOS/RHEL

Then, simply open your .pcap file:

wireshark network_traffic.pcap

Or use the graphical interface to navigate and open the file.

Advanced Usage & Practical Considerations

Limiting Packet Capture: The c Option

To prevent endlessly growing files during live captures, you can limit the number of packets captured:

sudo tcpdump -i eth0 -c 1000 -w limited_capture.pcap

This command will stop after capturing 1000 packets.

Verbose Output: v, vv, vvv

These options increase the verbosity of the output when displaying packets (either live or from a file), providing more header details.

  • tcpdump -i eth0 -v
  • tcpdump -i eth0 -vv
  • tcpdump -i eth0 -vvv

Readable Timestamps: tttt

By default, timestamps can be in a less human-friendly format. The -tttt option provides highly readable timestamps:

tcpdump -i eth0 -tttt -c 5

Output example: 2023-10-27 10:30:45.123456 IP ...

Packet Slicing: s Option

By default, tcpdump captures the entire packet. If you’re only interested in headers or don’t want to capture sensitive payload data, you can limit the snapshot length:

sudo tcpdump -i eth0 -s 128 -w headers_only.pcap

This captures only the first 128 bytes of each packet, which is usually sufficient for IP and TCP/UDP headers. A value of 0 captures the entire packet.

Don’t Resolve Hostnames/Ports: n and nn

For faster capture and to avoid DNS lookups, use these options:

  • n: Don’t convert host addresses to names.
  • nn: Don’t convert host addresses or port numbers to names.
sudo tcpdump -i eth0 -nn -w fast_capture.pcap

Further Reading

10 Linux tcpdump examples

Exploring Tcpdump Filters with Examples

Tcpdump Cheat Sheet With Basic Advanced Examples

David Cao
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 548

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *