A tcpdump Tutorial with Examples

50 ways to isolate traffic for cybersecurity, network administration, and other technical roles
January 5, 2004

tcpdump is the world's premier network analysis tool—combining both power and simplicity into a single command-line interface. This guide will show you how to use it.

tcpdump is a powerful command-line packet analyzer. It allows you to capture and inspect network traffic in real-time. This tool is invaluable for network administrators, security professionals, and anyone who needs to understand network behavior.

In this tutorial, we'll explore 50 practical examples of using tcpdump. These examples will cover a wide range of use cases, from basic traffic capture to advanced filtering and analysis.

Basic Syntax

The basic syntax of tcpdump is:

bash
tcpdump [options] [expression]
  • options: Modify the behavior of tcpdump, such as specifying the interface to capture on or the output format.
  • expression: Defines what kind of traffic to capture. This is where you specify hostnames, IP addresses, ports, protocols, and other criteria.

Capturing Traffic on an Interface

To capture all traffic on a specific interface, use the -i flag followed by the interface name. For example, to capture traffic on the eth0 interface:

bash
tcpdump -i eth0

To see a list of all available interfaces, use the command:

bash
tcpdump -D

Capturing Traffic to/from a Specific Host

To capture traffic to or from a specific host, use the host keyword followed by the hostname or IP address:

bash
tcpdump host 192.168.1.100

This will capture all traffic to and from the host with the IP address 192.168.1.100.

Capturing Traffic on a Specific Port

To capture traffic on a specific port, use the port keyword followed by the port number:

bash
tcpdump port 80

This will capture all traffic on port 80 (HTTP).

Combining Filters

You can combine filters using and, or, and not operators. For example, to capture all traffic to or from host 192.168.1.100 on port 80, use:

bash
tcpdump host 192.168.1.100 and port 80

To capture traffic from 192.168.1.100 on either port 80 or 443, use:

bash
tcpdump src host 192.168.1.100 and \( port 80 or port 443 \)

Advanced Filtering

Filtering by Protocol

To filter by protocol, use the ip, tcp, udp, or other protocol keywords. For example, to capture only TCP traffic:

bash
tcpdump tcp

To capture only UDP traffic:

bash
tcpdump udp

Filtering by Source or Destination

To filter by source or destination host or port, use the src or dst keywords:

bash
tcpdump src host 192.168.1.100

This will capture all traffic from the host 192.168.1.100.

bash
tcpdump dst port 443

This will capture all traffic destined for port 443.

Filtering by Network

To capture traffic within a specific network, use the net keyword:

bash
tcpdump net 192.168.1.0/24

This will capture all traffic within the 192.168.1.0/24 network.

Saving Captured Traffic to a File

To save captured traffic to a file, use the -w flag followed by the filename:

bash
tcpdump -w capture.pcap -i eth0

This will save all captured traffic on the eth0 interface to the file capture.pcap.

You can later analyze this file using tcpdump or another packet analyzer like Wireshark.

Reading Captured Traffic from a File

To read captured traffic from a file, use the -r flag followed by the filename:

bash
tcpdump -r capture.pcap

This will read and display the traffic from the file capture.pcap.

Verbosity

You can control the verbosity of tcpdump output using the -v, -vv, or -vvv flags.

  • -v: Verbose output.
  • -vv: More verbose output.
  • -vvv: Most verbose output.

For example:

bash
tcpdump -vv -i eth0

50 tcpdump Examples

Here are 50 tcpdump examples to help you isolate traffic in various situations:

  1. Capture all traffic on interface eth0:
    bash
    tcpdump -i eth0
  2. Capture all traffic on interface wlan0:
    bash
    tcpdump -i wlan0
  3. Capture traffic to or from host 192.168.1.100:
    bash
    tcpdump host 192.168.1.100
  4. Capture traffic to or from host example.com:
    bash
    tcpdump host example.com
  5. Capture traffic on port 80 (HTTP):
    bash
    tcpdump port 80
  6. Capture traffic on port 443 (HTTPS):
    bash
    tcpdump port 443
  7. Capture traffic on port 22 (SSH):
    bash
    tcpdump port 22
  8. Capture traffic on port 21 (FTP):
    bash
    tcpdump port 21
  9. Capture traffic on port 25 (SMTP):
    bash
    tcpdump port 25
  10. Capture traffic on port 53 (DNS):
    bash
    tcpdump port 53
  11. Capture traffic from host 192.168.1.100:
    bash
    tcpdump src host 192.168.1.100
  12. Capture traffic to host 192.168.1.100:
    bash
    tcpdump dst host 192.168.1.100
  13. Capture traffic from port 80:
    bash
    tcpdump src port 80
  14. Capture traffic to port 443:
    bash
    tcpdump dst port 443
  15. Capture all TCP traffic:
    bash
    tcpdump tcp
  16. Capture all UDP traffic:
    bash
    tcpdump udp
  17. Capture all ICMP traffic:
    bash
    tcpdump icmp
  18. Capture traffic to or from network 192.168.1.0/24:
    bash
    tcpdump net 192.168.1.0/24
  19. Capture traffic from network 192.168.1.0/24:
    bash
    tcpdump src net 192.168.1.0/24
  20. Capture traffic to network 192.168.1.0/24:
    bash
    tcpdump dst net 192.168.1.0/24
  21. Capture traffic to host 192.168.1.100 on port 80:
    bash
    tcpdump dst host 192.168.1.100 and dst port 80
  22. Capture traffic from host 192.168.1.100 on port 443:
    bash
    tcpdump src host 192.168.1.100 and src port 443
  23. Capture traffic to or from host 192.168.1.100 on port 80 or 443:
    bash
    tcpdump host 192.168.1.100 and \( port 80 or port 443 \)
  24. Capture all traffic except ICMP:
    bash
    tcpdump not icmp
  25. Capture all traffic except port 80:
    bash
    tcpdump not port 80
  26. Capture traffic with a specific TCP flag (SYN):
    bash
    tcpdump 'tcp[tcpflags] & tcp-syn != 0'
  27. Capture traffic with a specific TCP flag (ACK):
    bash
    tcpdump 'tcp[tcpflags] & tcp-ack != 0'
  28. Capture traffic with a specific TCP flag (RST):
    bash
    tcpdump 'tcp[tcpflags] & tcp-rst != 0'
  29. Capture traffic with a specific TCP flag (FIN):
    bash
    tcpdump 'tcp[tcpflags] & tcp-fin != 0'
  30. Capture traffic with a specific TCP flag (URG):
    bash
    tcpdump 'tcp[tcpflags] & tcp-urg != 0'
  31. Capture traffic with a specific TCP flag (PSH):
    bash
    tcpdump 'tcp[tcpflags] & tcp-push != 0'
  32. Capture traffic with a specific TCP flag (ALL):
    bash
    tcpdump 'tcp[tcpflags] = 0x01'
  33. Capture traffic with a specific TCP flag (NONE):
    bash
    tcpdump 'tcp[tcpflags] = 0x00'
  34. Capture traffic with a specific TCP flag (SYN/ACK):bash tcpdump 'tcp[tcpflags] = 0x12'
  35. Capture traffic with a specific TCP flag (SYN/RST):bash tcpdump 'tcp[tcpflags] = 0x14'
  36. Capture traffic with a specific TCP flag (SYN/FIN):bash tcpdump 'tcp[tcpflags] = 0x11'
  37. Capture traffic with a specific TCP flag (PSH/ACK):bash tcpdump 'tcp[tcpflags] = 0x18'
  38. Capture traffic with a specific IP fragment:
```bash
tcpdump 'ip[6] & 0x3f != 0'
```
  1. Capture traffic with a specific IP fragment offset:
    bash
    tcpdump 'ip[6:2] & 0x1fff != 0'
  2. Capture traffic with a specific IP TTL:
    bash
    tcpdump 'ip[8] = 128'
  3. Capture traffic with a specific IP DSCP:
    bash
    tcpdump 'ip[1] & 0xfc >> 2 = 46'
  4. Capture traffic with a specific IP ECN:
    bash
    tcpdump 'ip[1] & 0x03 = 3'
  5. Capture traffic with a specific TCP window size:
```bash
tcpdump 'tcp[14:2] = 65535'
```
  1. Capture traffic with a specific TCP sequence number:
    bash
    tcpdump 'tcp[4:4] = 12345678'
  2. Capture traffic with a specific TCP acknowledgement number:
    bash
    tcpdump 'tcp[8:4] = 87654321'
  3. Capture traffic with a specific TCP source port range:
    bash
    tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536'
  4. Capture traffic with a specific TCP destination port range:
    bash
    tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536'
  5. Capture traffic with a specific TCP payload length:
```bash
tcpdump 'tcp[20:2] > 0'
```
  1. Capture traffic with a specific TCP checksum:
```bash
tcpdump 'tcp[16:2] = 0'
```
  1. Capture traffic with a specific TCP urgent pointer: ```bash tcpdump 'tcp[18:2] = 0'