A tcpdump Tutorial with Examples

tcpdump is the world’s premier network analysis tool—combining both power and simplicity into a single command-line interface. This guide will show you how to use it.

tcpdump is a powerful command-line packet analyzer. It allows you to capture and inspect network traffic in real-time. This tool is invaluable for network administrators, security professionals, and anyone who needs to understand network behavior.

In this tutorial, we’ll explore 50 practical examples of using tcpdump. These examples will cover a wide range of use cases, from basic traffic capture to advanced filtering and analysis.

Basic Syntax ​

The basic syntax of tcpdump is:

tcpdump [options] [expression]

• options: Modify the behavior of tcpdump, such as specifying the interface to capture on or the output format.
• expression: Defines what kind of traffic to capture. This is where you specify hostnames, IP addresses, ports, protocols, and other criteria.

Capturing Traffic on an Interface ​

To capture all traffic on a specific interface, use the -i flag followed by the interface name. For example, to capture traffic on the eth0 interface:

tcpdump -i eth0

To see a list of all available interfaces, use the command:

tcpdump -D

Capturing Traffic to/from a Specific Host ​

To capture traffic to or from a specific host, use the host keyword followed by the hostname or IP address:

tcpdump host 192.168.1.100

This will capture all traffic to and from the host with the IP address 192.168.1.100.

Capturing Traffic on a Specific Port ​

To capture traffic on a specific port, use the port keyword followed by the port number:

tcpdump port 80

This will capture all traffic on port 80 (HTTP).

Combining Filters ​

You can combine filters using and, or, and not operators. For example, to capture all traffic to or from host 192.168.1.100 on port 80, use:

tcpdump host 192.168.1.100 and port 80

To capture traffic from 192.168.1.100 on either port 80 or 443, use:

tcpdump src host 192.168.1.100 and ( port 80 or port 443 )

Advanced Filtering ​

Filtering by Protocol ​

To filter by protocol, use the ip, tcp, udp, or other protocol keywords. For example, to capture only TCP traffic:

tcpdump tcp

To capture only UDP traffic:

tcpdump udp

Filtering by Source or Destination ​

To filter by source or destination host or port, use the src or dst keywords:

tcpdump src host 192.168.1.100

This will capture all traffic from the host 192.168.1.100.

tcpdump dst port 443

This will capture all traffic destined for port 443.

Filtering by Network ​

To capture traffic within a specific network, use the net keyword:

tcpdump net 192.168.1.0/24

This will capture all traffic within the 192.168.1.0/24 network.

Saving Captured Traffic to a File ​

To save captured traffic to a file, use the -w flag followed by the filename:

tcpdump -w capture.pcap -i eth0

This will save all captured traffic on the eth0 interface to the file capture.pcap.

You can later analyze this file using tcpdump or another packet analyzer like Wireshark.

Reading Captured Traffic from a File ​

To read captured traffic from a file, use the -r flag followed by the filename:

tcpdump -r capture.pcap

This will read and display the traffic from the file capture.pcap.

Verbosity ​

You can control the verbosity of tcpdump output using the -v, -vv, or -vvv flags.

• -v: Verbose output.
• -vv: More verbose output.
• -vvv: Most verbose output.

For example:

tcpdump -vv -i eth0

50 tcpdump Examples ​

Here are 50 tcpdump examples to help you isolate traffic in various situations:

1. Capture all traffic on interface eth0:
   bash

   tcpdump -i eth0

   1
2. Capture all traffic on interface wlan0:
   bash

   tcpdump -i wlan0

   1
3. Capture traffic to or from host 192.168.1.100:
   bash

   tcpdump host 192.168.1.100

   1
4. Capture traffic to or from host example.com:
   bash

   tcpdump host example.com

   1
5. Capture traffic on port 80 (HTTP):
   bash

   tcpdump port 80

   1
6. Capture traffic on port 443 (HTTPS):
   bash

   tcpdump port 443

   1
7. Capture traffic on port 22 (SSH):
   bash

   tcpdump port 22

   1
8. Capture traffic on port 21 (FTP):
   bash

   tcpdump port 21

   1
9. Capture traffic on port 25 (SMTP):
   bash

   tcpdump port 25

   1
10. Capture traffic on port 53 (DNS):
    bash

    tcpdump port 53

    1
11. Capture traffic from host 192.168.1.100:
    bash

    tcpdump src host 192.168.1.100

    1
12. Capture traffic to host 192.168.1.100:
    bash

    tcpdump dst host 192.168.1.100

    1
13. Capture traffic from port 80:
    bash

    tcpdump src port 80

    1
14. Capture traffic to port 443:
    bash

    tcpdump dst port 443

    1
15. Capture all TCP traffic:
    bash

    tcpdump tcp

    1
16. Capture all UDP traffic:
    bash

    tcpdump udp

    1
17. Capture all ICMP traffic:
    bash

    tcpdump icmp

    1
18. Capture traffic to or from network 192.168.1.0/24:
    bash

    tcpdump net 192.168.1.0/24

    1
19. Capture traffic from network 192.168.1.0/24:
    bash

    tcpdump src net 192.168.1.0/24

    1
20. Capture traffic to network 192.168.1.0/24:
    bash

    tcpdump dst net 192.168.1.0/24

    1
21. Capture traffic to host 192.168.1.100 on port 80:
    bash

    tcpdump dst host 192.168.1.100 and dst port 80

    1
22. Capture traffic from host 192.168.1.100 on port 443:
    bash

    tcpdump src host 192.168.1.100 and src port 443

    1
23. Capture traffic to or from host 192.168.1.100 on port 80 or 443:
    bash

    tcpdump host 192.168.1.100 and ( port 80 or port 443 )

    1
24. Capture all traffic except ICMP:
    bash

    tcpdump not icmp

    1
25. Capture all traffic except port 80:
    bash

    tcpdump not port 80

    1
26. Capture traffic with a specific TCP flag (SYN):
    bash

    tcpdump 'tcp[tcpflags] & tcp-syn != 0'

    1
27. Capture traffic with a specific TCP flag (ACK):
    bash

    tcpdump 'tcp[tcpflags] & tcp-ack != 0'

    1
28. Capture traffic with a specific TCP flag (RST):
    bash

    tcpdump 'tcp[tcpflags] & tcp-rst != 0'

    1
29. Capture traffic with a specific TCP flag (FIN):
    bash

    tcpdump 'tcp[tcpflags] & tcp-fin != 0'

    1
30. Capture traffic with a specific TCP flag (URG):
    bash

    tcpdump 'tcp[tcpflags] & tcp-urg != 0'

    1
31. Capture traffic with a specific TCP flag (PSH):
    bash

    tcpdump 'tcp[tcpflags] & tcp-push != 0'

    1
32. Capture traffic with a specific TCP flag (ALL):
    bash

    tcpdump 'tcp[tcpflags] = 0x01'

    1
33. Capture traffic with a specific TCP flag (NONE):
    bash

    tcpdump 'tcp[tcpflags] = 0x00'

    1
34. Capture traffic with a specific TCP flag (SYN/ACK):
    bash

    tcpdump 'tcp[tcpflags] = 0x12'

    1
35. Capture traffic with a specific TCP flag (SYN/RST):
    bash

    tcpdump 'tcp[tcpflags] = 0x14'

    1
36. Capture traffic with a specific TCP flag (SYN/FIN):
    bash

    tcpdump 'tcp[tcpflags] = 0x11'

    1
37. Capture traffic with a specific TCP flag (PSH/ACK):
    bash

    tcpdump 'tcp[tcpflags] = 0x18'

    1
38. Capture traffic with a specific IP fragment offset:
    bash

    tcpdump 'ip[6:2] & 0x1fff != 0'

    1
39. Capture traffic with a specific IP TTL:
    bash

    tcpdump 'ip[8] = 128'

    1
40. Capture traffic with a specific IP DSCP:
    bash

    tcpdump 'ip[1] & 0xfc >> 2 = 46'

    1
41. Capture traffic with a specific IP ECN:
    bash

    tcpdump 'ip[1] & 0x03 = 3'

    1
42. Capture traffic with a specific TCP sequence number:
    bash

    tcpdump 'tcp[4:4] = 12345678'

    1
43. Capture traffic with a specific TCP acknowledgement number:
    bash

    tcpdump 'tcp[8:4] = 87654321'

    1
44. Capture traffic with a specific TCP source port range:
    bash

    tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536'

    1
45. Capture traffic with a specific TCP destination port range:
    bash

    tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536'

    1

These examples should provide a solid foundation for using tcpdump to analyze network traffic.

Happy hunting!

-Daniel