tcpdump is the world’s premier network analysis tool—combining both power and simplicity into a single command-line interface. This guide will show you how to use it.
tcpdump is a powerful command-line packet analyzer. It allows you to capture and inspect network traffic in real-time. This tool is invaluable for network administrators, security professionals, and anyone who needs to understand network behavior.
In this tutorial, we’ll explore 50 practical examples of using tcpdump. These examples will cover a wide range of use cases, from basic traffic capture to advanced filtering and analysis.
Basic Syntax ​
The basic syntax of tcpdump is:
tcpdump [options] [expression]options: Modify the behavior oftcpdump, such as specifying the interface to capture on or the output format.expression: Defines what kind of traffic to capture. This is where you specify hostnames, IP addresses, ports, protocols, and other criteria.
Capturing Traffic on an Interface ​
To capture all traffic on a specific interface, use the -i flag followed by the interface name. For example, to capture traffic on the eth0 interface:
tcpdump -i eth0To see a list of all available interfaces, use the command:
tcpdump -DCapturing Traffic to/from a Specific Host ​
To capture traffic to or from a specific host, use the host keyword followed by the hostname or IP address:
tcpdump host 192.168.1.100This will capture all traffic to and from the host with the IP address 192.168.1.100.
Capturing Traffic on a Specific Port ​
To capture traffic on a specific port, use the port keyword followed by the port number:
tcpdump port 80This will capture all traffic on port 80 (HTTP).
Combining Filters ​
You can combine filters using and, or, and not operators. For example, to capture all traffic to or from host 192.168.1.100 on port 80, use:
tcpdump host 192.168.1.100 and port 80To capture traffic from 192.168.1.100 on either port 80 or 443, use:
tcpdump src host 192.168.1.100 and ( port 80 or port 443 )Advanced Filtering ​
Filtering by Protocol ​
To filter by protocol, use the ip, tcp, udp, or other protocol keywords. For example, to capture only TCP traffic:
tcpdump tcpTo capture only UDP traffic:
tcpdump udpFiltering by Source or Destination ​
To filter by source or destination host or port, use the src or dst keywords:
tcpdump src host 192.168.1.100This will capture all traffic from the host 192.168.1.100.
tcpdump dst port 443This will capture all traffic destined for port 443.
Filtering by Network ​
To capture traffic within a specific network, use the net keyword:
tcpdump net 192.168.1.0/24This will capture all traffic within the 192.168.1.0/24 network.
Saving Captured Traffic to a File ​
To save captured traffic to a file, use the -w flag followed by the filename:
tcpdump -w capture.pcap -i eth0This will save all captured traffic on the eth0 interface to the file capture.pcap.
You can later analyze this file using tcpdump or another packet analyzer like Wireshark.
Reading Captured Traffic from a File ​
To read captured traffic from a file, use the -r flag followed by the filename:
tcpdump -r capture.pcapThis will read and display the traffic from the file capture.pcap.
Verbosity ​
You can control the verbosity of tcpdump output using the -v, -vv, or -vvv flags.
-v: Verbose output.-vv: More verbose output.-vvv: Most verbose output.
For example:
tcpdump -vv -i eth050 tcpdump Examples ​
Here are 50 tcpdump examples to help you isolate traffic in various situations:
- Capture all traffic on interface
eth0:bashtcpdump -i eth0 - Capture all traffic on interface
wlan0:bashtcpdump -i wlan0 - Capture traffic to or from host
192.168.1.100:bashtcpdump host 192.168.1.100 - Capture traffic to or from host
example.com:bashtcpdump host example.com - Capture traffic on port 80 (HTTP):
bash
tcpdump port 80 - Capture traffic on port 443 (HTTPS):
bash
tcpdump port 443 - Capture traffic on port 22 (SSH):
bash
tcpdump port 22 - Capture traffic on port 21 (FTP):
bash
tcpdump port 21 - Capture traffic on port 25 (SMTP):
bash
tcpdump port 25 - Capture traffic on port 53 (DNS):
bash
tcpdump port 53 - Capture traffic from host
192.168.1.100:bashtcpdump src host 192.168.1.100 - Capture traffic to host
192.168.1.100:bashtcpdump dst host 192.168.1.100 - Capture traffic from port 80:
bash
tcpdump src port 80 - Capture traffic to port 443:
bash
tcpdump dst port 443 - Capture all TCP traffic:
bash
tcpdump tcp - Capture all UDP traffic:
bash
tcpdump udp - Capture all ICMP traffic:
bash
tcpdump icmp - Capture traffic to or from network
192.168.1.0/24:bashtcpdump net 192.168.1.0/24 - Capture traffic from network
192.168.1.0/24:bashtcpdump src net 192.168.1.0/24 - Capture traffic to network
192.168.1.0/24:bashtcpdump dst net 192.168.1.0/24 - Capture traffic to host
192.168.1.100on port 80:bashtcpdump dst host 192.168.1.100 and dst port 80 - Capture traffic from host
192.168.1.100on port 443:bashtcpdump src host 192.168.1.100 and src port 443 - Capture traffic to or from host
192.168.1.100on port 80 or 443:bashtcpdump host 192.168.1.100 and ( port 80 or port 443 ) - Capture all traffic except ICMP:
bash
tcpdump not icmp - Capture all traffic except port 80:
bash
tcpdump not port 80 - Capture traffic with a specific TCP flag (SYN):
bash
tcpdump 'tcp[tcpflags] & tcp-syn != 0' - Capture traffic with a specific TCP flag (ACK):
bash
tcpdump 'tcp[tcpflags] & tcp-ack != 0' - Capture traffic with a specific TCP flag (RST):
bash
tcpdump 'tcp[tcpflags] & tcp-rst != 0' - Capture traffic with a specific TCP flag (FIN):
bash
tcpdump 'tcp[tcpflags] & tcp-fin != 0' - Capture traffic with a specific TCP flag (URG):
bash
tcpdump 'tcp[tcpflags] & tcp-urg != 0' - Capture traffic with a specific TCP flag (PSH):
bash
tcpdump 'tcp[tcpflags] & tcp-push != 0' - Capture traffic with a specific TCP flag (ALL):
bash
tcpdump 'tcp[tcpflags] = 0x01' - Capture traffic with a specific TCP flag (NONE):
bash
tcpdump 'tcp[tcpflags] = 0x00' - Capture traffic with a specific TCP flag (SYN/ACK):
bash
tcpdump 'tcp[tcpflags] = 0x12' - Capture traffic with a specific TCP flag (SYN/RST):
bash
tcpdump 'tcp[tcpflags] = 0x14' - Capture traffic with a specific TCP flag (SYN/FIN):
bash
tcpdump 'tcp[tcpflags] = 0x11' - Capture traffic with a specific TCP flag (PSH/ACK):
bash
tcpdump 'tcp[tcpflags] = 0x18' - Capture traffic with a specific IP fragment offset:
bash
tcpdump 'ip[6:2] & 0x1fff != 0' - Capture traffic with a specific IP TTL:
bash
tcpdump 'ip[8] = 128' - Capture traffic with a specific IP DSCP:
bash
tcpdump 'ip[1] & 0xfc >> 2 = 46' - Capture traffic with a specific IP ECN:
bash
tcpdump 'ip[1] & 0x03 = 3' - Capture traffic with a specific TCP sequence number:
bash
tcpdump 'tcp[4:4] = 12345678' - Capture traffic with a specific TCP acknowledgement number:
bash
tcpdump 'tcp[8:4] = 87654321' - Capture traffic with a specific TCP source port range:
bash
tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536' - Capture traffic with a specific TCP destination port range:
bash
tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536'
These examples should provide a solid foundation for using tcpdump to analyze network traffic.
Happy hunting!
-Daniel
Related Posts
Technical Analysis: 4 Stocks with signs of death crossovers to keep an eye on
HDFC Bank & 3 other fundamentally strong stocks trading above 200 DMA to keep an eye on
Falling Channel Breakout: Multibagger NBFC Stock Shows Bullish Momentum on Daily Chart
4 Fundamentally strong stocks to buy for an upside potential of up to 36%; Do you hold any?
Markets tumble as Trump puts pressure on Federal Reserve
NLSC: SENIOR THREE AGRICULTUREAgriculture,New Lower Secondary Curriculum,Ordinary Secondary 
NLSC: SENIOR THREE CHEMISTRY
NLSC: SENIOR THREE GENERAL SCIENCENew Lower Secondary Curriculum,Ordinary Secondary,Sciences 
NLSC: SENIOR THREE NUTRITION AND FOOD TECHNOLOGYFood and Nutrition,New Lower Secondary Curriculum,Ordinary Secondary 
NLSC: SENIOR THREE CHRISTIAN RELIGIOUS EDUCATION
colline mwangaENG/P/7: RIGHTS, RESPONSIBILITIES AND FREEDOM- Aheebwa JosephDP: Digital Pedagoggy Assignment7
- Aheebwa JosephDP: Digital Pedagogy Assignment5
- Aheebwa JosephDP: Digital Pedagogy Assignment4
- Aheebwa JosephDP: Digital Pedagogy Assignment2
- Aheebwa JosephDP: Digital Pedagogy Final Project
SENIOR FIVE SUB ICT END OF YEAR EXAM ONE 2023
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
English
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
0 responses on "A tcpdump Tutorial with Examples"