Home Learn Linux Tcpdump unpacked: Networking diagnostics in Linux made easy

Tcpdump unpacked: Networking diagnostics in Linux made easy

Tcpdump is Linux's premier network packet analyzer. Grasp its full potential as we break down its usage, from basic syntax to advanced captures, through hands-on examples.

by John Horan
tcpdump command in linux with examples

Networking can be a daunting word for those unfamiliar with the field. However, I want to put your mind at ease. One of my favorite tools over the years has been the “tcpdump” command. Not only does it help unravel the mysteries of data packets, but it’s also incredibly versatile.

In this guide, I will walk you through the intricacies of using “tcpdump,” breaking down its syntax and providing illustrative examples.

Why do I love tcpdump?

Before we dive deep, let’s share a little secret. I’ve always had a liking for tools that give me more control and insight. tcpdump does exactly that for network troubleshooting. However, I do dislike the fact that its output can be overwhelming at times. Yet, with proper know-how, we can tame this beast.

What is tcpdump?

tcpdump is a network packet analyzer. It allows users to display the packets being transmitted or received over a network. What sets it apart is its ability to capture and save these packets for later inspection, which is invaluable for network debugging.

Installing tcpdump

Before using tcpdump, ensure it’s installed on your system:

sudo apt-get install tcpdump

For RPM-based distributions:

sudo yum install tcpdump

Let’s get started: The basic syntax

The most straightforward way to use tcpdump is without any arguments:


This command displays all packets on the network interface. The output can be overwhelming, and here’s a sample:

12:01:23.123456 IP user1.ftp > ftp-server.ftp: Flags [S], seq 12345678, length 0

This output, though cryptic, provides details about source, destination, protocols, flags, and more.

Filtering the Output

The raw output can be a lot, but thankfully, tcpdump provides a myriad of filtering options.

By Interface

If you have multiple network interfaces and wish to listen to a specific one:

tcpdump -i eth0

My personal favorite is -D, which lists all available interfaces:

tcpdump -D
By Protocol

Interested in just the ICMP traffic?

tcpdump icmp

Sample Output:

12:01:45.123456 IP user1 > server: ICMP echo request, id 1234, seq 1, length 64
By Source & Destination

To filter packets from a specific IP:

tcpdump src

Or destined to an IP:

tcpdump dst

Displaying Packet Contents

Peeking into packet content is fascinating, and with -X, you get to see both hex and ASCII representation:

tcpdump -X

However, a fair warning: this could make your output much longer. It’s like reading The Lord of the Rings when you just wanted a short story.

Capturing Packets to a File

For extended analysis, capturing packets to a file is a game-changer. Use -w followed by the filename:

tcpdump -w mypackets.pcap

Reading it back is just as simple:

tcpdump -r mypackets.pcap

Limiting Packet Capture

By default, tcpdump captures the entire packet. If you’d prefer to capture only the start:

tcpdump -s 100

This captures the first 100 bytes. This feature is something I have mixed feelings about. While it’s helpful to trim unnecessary data, you might miss crucial information if you’re not careful.

tcpdump commands quick reference table

Command Description
tcpdump Display all packets on the default network interface.
tcpdump -i eth0 Capture packets on the eth0 interface.
tcpdump -D List all available network interfaces.
tcpdump icmp Filter and display only ICMP traffic.
tcpdump src Display packets originating from the IP
tcpdump dst Display packets destined for IP
tcpdump -X Show packet’s contents in both hex and ASCII.
tcpdump -w mypackets.pcap Save captured packets to a file named mypackets.pcap.
tcpdump -r mypackets.pcap Read packets from the saved .pcap file.
tcpdump -s 100 Capture only the first 100 bytes of each packet.

Common troubleshooting issues with tcpdump and their resolutions

Ah, the challenges! Despite my affection for tcpdump, it’s not without its quirks. Like that one friend who’s fantastic but can sometimes be frustratingly puzzling. Over my years of tinkering, I’ve come across some common issues and their fixes. Here’s a compact troubleshooting guide for your tcpdump journey:

1. Permission Denied

Issue: Running tcpdump without sufficient permissions can result in a “permission denied” error.

Solution: Use sudo:

sudo tcpdump

But, be cautious. Running with superuser permissions is powerful and potentially risky.

2. Interface Not Found

Issue: tcpdump: SIOCGIFHWADDR: No such device

Solution: Ensure the network interface you’re specifying exists. List all interfaces with:

tcpdump -D

Use the correct interface name in your command.

3. tcpdump Not Found

Issue: Command not found when trying to run tcpdump.

Solution: It’s likely that tcpdump is not installed or not in your $PATH. Install it using your package manager, or provide the full path to the executable.

4. Overwhelming Output

Issue: When run without filters, tcpdump can generate a copious amount of data.

Solution: Use filters to limit the output. For instance, you can focus on a specific protocol, source, or destination. Remember, filtering is your friend!

5. Packet Truncation

Issue: Sometimes, the packets are truncated, and you can’t see the full content.

Solution: By default, tcpdump captures only the first 262144 bytes of data. Use the -s flag with a higher value or 0 for the entire packet:

tcpdump -s 0

6. Can’t Read PCAP Files

Issue: Unable to read .pcap files.

Solution: Ensure you use -r to read packet capture files:

tcpdump -r filename.pcap

7. Time Stamps are Hard to Interpret

Issue: By default, the timestamp format can be challenging to read or interpret.

Solution: Adjust the timestamp with the -tttt option to get a more readable format:

tcpdump -tttt

8. Too Much DNS Traffic

Issue: A lot of DNS queries in the output, making it hard to spot relevant data.

Solution: Filter out DNS traffic:

tcpdump not port 53

9. Incomplete TCP Conversations

Issue: Only seeing one side of the TCP conversation.

Solution: This might be due to asymmetric routing or capturing on a device that only sees half of the traffic. Ensure you’re capturing on an interface that can see the entire conversation.

Wrapping Up

In this comprehensive guide, we have delved deep into the realm of network packet analysis in Linux using an invaluable tool called “tcpdump”. We explored its basic syntax and multifaceted filtering capabilities, to help you harness its power in decoding the intricacies of network traffic. We have highlighted the importance of capturing and reading packets, especially when tailored to our specific needs, and provided common troubleshooting challenges and their resolutions.

Additionally, we have included a quick reference table that serves as a handy cheat sheet for both beginners and seasoned users. In essence, “tcpdump” is an indispensable tool for any Linux network enthusiast, offering a window into the otherwise invisible world of data packets that constantly traverse our networks.

You may also like

Leave a Comment



FOSS Linux is a leading resource for Linux enthusiasts and professionals alike. With a focus on providing the best Linux tutorials, open-source apps, news, and reviews written by team of expert authors. FOSS Linux is the go-to source for all things Linux.

Whether you’re a beginner or an experienced user, FOSS Linux has something for everyone.

Follow Us


©2016-2023 FOSS LINUX



“Linux” is the registered trademark by Linus Torvalds in the U.S. and other countries.