tcpdump is a very useful command to inspect and capture network packets that go into and from your machine. It’s one of the most common networking utilities to troubleshoot network problems and security issues.
Although its name is tcpdump but it can be used to inspect non-TCP traffic included UDP, ARP, or ICMP.
This tutorial will show you the way to use the tcpdump command in a Linux system.
By default, tcpdump is installed on most Linux distributions. To verify whether the tcpdump is installed or not, run the following command:
$ tcpdump --version
If it has not been installed yet, let’s run:
$ sudo apt update
$ sudo apt install tcpdump
Capture packets on network interfaces
When you run tcpdump without any options, it will capture all the packets on all of the network interfaces on your computer.
$ sudo tcpdump
You have to press Ctrl + C to stop.
To list all of the network interfaces that their packets can be inspected by the tcpdump command, run:
$ sudo tcpdump -D
If you want to capture packets on a specific network interface and limits packet to 6, run the following command:
$ sudo tcpdump -i eth0 -c 6
Capture network packets on a specific host
To capture the packets from a specific host. You can simply run the following command:
$ sudo tcpdump -n host 172.19.11.101 -c 5
Capture network packets on a specific port
If you want to filter only network packets on a specific port, let’s run the tcpdump command with the -n port option.
$ sudo tcpdump -n port 22
Capture network packets from source and destination
If you want to filter only network packets that come from a specific source, let’s run the tcpdump command with the src option.
$ sudo tcpdump src 172.19.11.210
For the purpose of capturing only network packets to a specific destination, run the tcpdump command with the dst option.
$ sudo tcpdump dst 172.19.11.210
Capture network packets with many combined filters
In order to combine many filters when running the tcpdump command, you can use these operators: and (&&), or (||), not (!). For example, the following command will capture all packets that come from the source 172.19.11.210 via port 22.
$ sudo tcpdump src 172.19.11.210 && -n port 22 -c 5
Filter network by a protocol
To capture the network packets of a particular protocol, let’s specify the protocol name as a command option. For example:
$ sudo tcpdump -n udp
You’ve already go through the details of how to use the tcpdump command for troubleshooting and analyzing the network on your Linux system.
If you have any concerns, please let me know. Thank you for reading.
Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications including CCNA RS, SCP, and ACE. As an IT engineer and technical author, he writes for various websites.