TCPDump Examples – 30 Best Commands Ever!

tcpdump is a command-line network packet analyzing tool, that is absolutely essential for troubleshooting networking issues.

It is used to display network packets transmitted over network interfaces connected to the system on which tcpdump is installed.

tcpdump has a large set of flags and arguments used to specify various options, which can be pretty overwhelming for beginners.

Below you will find a collection of the best examples of the tcpdump command.

Cool Tip: 20 awesome nmap command examples! Read more →

TCPDump Examples

Examples of the useful tcpdump options:

Examples of the popular tcpdump filters:

TCPDump Options

Below you will find the examples of the most useful tcpdump options.

Interfaces

List all interfaces on which tcpdump can capture packets:

# tcpdump -D

Default Interface: If the interface is not specified, tcpdump searches the system interface list for the lowest numbered e.g. eth0.

Capture packets on the interface eth0:

# tcpdump -i eth0

Capture packets on all interfaces:

# tcpdump -i any

Verbosity

Print less protocol information than by default:

# tcpdump -q

Increase a verbosity while capturing packets:

# tcpdump -v
# tcpdump -vv
# tcpdump -vvv

Print data of each packet in ASCII:

# tcpdump -A

Print data of each packet in hex and ASCII:

# tcpdump -X
# tcpdump -XX

Files

Write captured packets to a file, called capture.cap:

# tcpdump -w capture.cap

Write captured packets to a file and report their number every 10 seconds:

# tcpdump -v -w capture.cap

Read captured packets from a file capture.cap:

# tcpdump -r capture.cap

Limits

Exit after capturing 100 packets:

# tcpdump -c 100

Capture 500 bytes of data for each packet rather than the default 65535 bytes:

# tcpdump -s 500

Capture all bytes of data within the packet:

# tcpdump -s 0

Disable DNS Lookup

Don’t convert IP addresses and port numbers into domain and service names:

# tcpdump -n

Cool Tip: Scan a network with the ping command only! Discover all the active computers in your LAN! Read more →

TCPDump Filters

Below you will find the examples of the most popular tcpdump filters.

Capture any packets where the destination host is 192.168.1.1:

# tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1:

# tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1:

# tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24:

# tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24:

# tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24:

# tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23:

# tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive:

# tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive:

# tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive:

# tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23:

# tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443:

# tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

# tcpdump -v icmp

Capture any ARP packets:

# tcpdump -v arp

Capture either ICMP or ARP packets:

# tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

# tcpdump -n "broadcast or multicast"

Cool Tip: How to ping IPv6 addresses in Linux! Read more →