Skip to Content

Exploring Tcpdump Filters with Examples

Tcpdump with no filters will produce so much output that it will prove very difficult to find traffic of interest. There are numerous filtering expressions available that limit the traffic displayed or captured.

  • Host filters
  • Network filters
  • Port filters
  • Protocol filters
  • Negating a filter match
  • Combining filters


Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

Option Description
-i Listen on the specified interface.
-n Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv enables verbose logging/details (which among other things will give us a running total on how many packets are captured
-c N Only get N number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S Print absolute sequence numbers.
-q Show less protocol information.
-w Write the raw packets to file
-C file_size(M) tells tcpdump to store up to x MB of packet data per file.
-G rotate_seconds Create a new file every time the specified number of seconds has elapsed.

Host filters

To filter for a specific host, append host and the IP address to the tcpdump command. To filter for host use the following command:

# tcpdump -ni igb1 host

That will capture all traffic to and from that host. To only capture traffic being initiated by that host, use the src directive:

# tcpdump -ni igb1 src host

Similarly, filtering for traffic destined to that IP address is possible by specifying dst:

# tcpdump -ni igb1 dst host

Network filters

Network filters narrow the capture to a specific subnet using the net expression. Following net, specify a dotted quad (, dotted triple ( 192.168.1), dotted pair (192.168) or simply a number ( 192).

A dotted quad is equivalent to specifying host, a dotted triple uses a subnet mask of, a dotted pair uses, and a number alone uses

The following command displays traffic to or from any host with a 192.168.1.x IP address:

# tcpdump -ni igb1 net 192.168.1

The next command will capture traffic to or from any host with a 10.x.x.x IP address:

# tcpdump -ni igb1 net 10

Those examples will capture all traffic to or from the specified network. The src or dst keywords may be used the same as with host filters to capture only traffic initiated by or destined to the specified network:

# tcpdump -ni igb1 src net 10

A CIDR mask can also be passed as an argument to net:

# tcpdump -ni igb1 src net


Port filters

Narrowing down by host or network frequently isn’t adequate to eliminate unnecessary traffic from a capture. Or the source or destination of traffic may not be significant, and all traffic of a certain type should be captured. In other cases, filtering out all traffic of a specific type can reduce noise.

To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.

Capture all HTTP traffic
# tcpdump -ni igb1 tcp port 80

Capture all DNS traffic (usually UDP, but some queries use TCP):
# tcpdump -ni igb1 port 53

Protocol filters

Specific protocols can be filtered using the proto directive or by using the protocol name directly.

The following capture will show all ICMP traffic on the igb1 interface:

# tcpdump -ni igb1 icmp

Negating a filter match

In addition to matching specific parameters, a filter match can be negated by specifying not in front of the filter expression. When troubleshooting something other than icmp, exclude it as follows:

# tcpdump -ni igb1 not icmp

Combining filters

Any of the aforementioned filters can be combined using and or or. The following sections provide some examples.

Display all HTTP traffic to and from a host and Display all HTTP traffic to or from

# tcpdump -ni igb1 host and tcp port 80

Display all HTTP traffic to and from multiple hosts and Display all HTTP traffic from either or

# tcpdump -ni igb1 host or host and tcp port 80

Filter expression usage

Filter expressions must come after every command-line flag used. Adding any flags after a filter expression will result in a syntax error.

  • Incorrect ordering
  • # tcpdump -ni igb1 -T carp carp -c 2
  • tcpdump: syntax error
  • Correct ordering
  • # tcpdump -ni igb1 -T carp -c 2 carp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:50:07.426993 IP > CARPv2-advertise 36: vhid=11 advbase=1 advskew=0 authlen=7 counter=5449924379588860810
14:50:08.436849 IP > CARPv2-advertise 36: vhid=11 advbase=1 advskew=0 authlen=7 counter=5449924379588860810
2 packets captured
78 packets received by filter
0 packets dropped by kernel