How to analyze network traffic with tcpdump

    Introduction

    tcpdump is a powerful command-line packet analyzer available on virtually all Linux systems. It captures and displays network packets in real time, making it an essential tool for debugging connectivity issues, verifying firewall rules, and analyzing traffic patterns.

    Installation

    sudo apt install tcpdump    # Debian/Ubuntu
sudo yum install tcpdump    # AlmaLinux/RHEL

    Basic capture

    sudo tcpdump

    This captures all traffic on the default interface. Press Ctrl+C to stop.

    Capture on a specific interface

    sudo tcpdump -i eth0

    List available interfaces

    sudo tcpdump -D

    Common filters

    Filter by host

    sudo tcpdump host 203.0.113.50
sudo tcpdump src 203.0.113.50
sudo tcpdump dst 203.0.113.50

    Filter by port

    sudo tcpdump port 80
sudo tcpdump port 443
sudo tcpdump port 22

    Filter by protocol

    sudo tcpdump icmp
sudo tcpdump tcp
sudo tcpdump udp

    Combine filters

    sudo tcpdump host 203.0.113.50 and port 443
sudo tcpdump src 10.0.0.1 and dst port 80
sudo tcpdump 'port 80 or port 443'

    Filter by network (subnet)

    sudo tcpdump net 192.168.1.0/24

    Useful options

    Option Description
    -c 100 Capture only 100 packets, then stop
    -n Do not resolve hostnames (faster output)
    -nn Do not resolve hostnames or port names
    -v / -vv Verbose / very verbose output
    -X Show packet contents in hex and ASCII
    -A Show packet contents in ASCII only (useful for HTTP)
    -w file.pcap Save capture to a file (for later analysis in Wireshark)
    -r file.pcap Read and analyze a previously saved capture

    Practical examples

    Debug HTTP traffic

    sudo tcpdump -i eth0 -A -nn port 80 -c 50

    Capture DNS queries

    sudo tcpdump -i eth0 -nn port 53

    Check if traffic is reaching your server on a specific port

    sudo tcpdump -i eth0 -nn dst port 3306 -c 10

    If no packets appear, traffic is likely being blocked by a firewall before reaching the server.

    Save a capture for later analysis

    sudo tcpdump -i eth0 -w /tmp/capture.pcap -c 1000

    You can open capture.pcap in Wireshark for graphical analysis.

    Monitor traffic between two hosts

    sudo tcpdump -i eth0 -nn host 10.0.0.1 and host 10.0.0.2

    Reading the output

    10:30:45.123456 IP 203.0.113.50.54321 > 93.184.216.34.443: Flags [S], seq 1234567890, win 65535, length 0
    Field Meaning
    10:30:45.123456 Timestamp
    203.0.113.50.54321 Source IP and port
    93.184.216.34.443 Destination IP and port
    Flags [S] TCP SYN flag (connection initiation)

    Common TCP flags

    Flag Meaning
    [S] SYN — Connection request
    [S.] SYN-ACK — Connection accepted
    [.] ACK — Acknowledgment
    [P.] PSH-ACK — Data push
    [F.] FIN-ACK — Connection closing
    [R] RST — Connection reset
    Published