If you work with Linux systems, at some point you will need to look at what is actually traveling across your network. That is where tcpdump comes in. It is one of the most practical tools for network troubleshooting, security analysis, and debugging. I have used it countless times to find misconfigured services, catch suspicious traffic, and verify that firewalls are doing their job.
In this guide I will walk through 10 essential tcpdump examples that cover the most common real-world scenarios. By the end you will be able to capture traffic, filter it down to what matters, and analyze the results without opening Wireshark.
What is the tcpdump command?
The tcpdump command is a packet analyzer that runs from the terminal. It captures network packets and displays them in real time or saves them to a file for later analysis. It ships with almost every Linux distribution and has been around for decades. You do not need a GUI or a desktop environment to use it. That makes it perfect for servers, SSH sessions, and incident response work.
Tcpdump uses libpcap under the hood, the same library that powers Wireshark and many other network tools. The output looks cryptic at first, but after a few runs the format becomes straightforward. Each line shows a timestamp, source and destination IPs, ports, protocol flags, and packet length.
Before you start, make sure you have the right permissions. Tcpdump needs root or CAP_NET_RAW and CAP_NET_ADMIN capabilities to run.
1. Capture Traffic on a Specific Interface with tcpdump command
The first thing you need to know is how to target a specific network interface. If you run tcpdump without any options, it picks the lowest-numbered interface. That is often loopback, which is not what you want.
List your available interfaces first:
tcpdump -DThen capture on the interface you care about:
sudo tcpdump -i eth0This starts printing every packet that hits eth0 to your terminal. Hit Ctrl+C when you want to stop. The output scrolls fast on a busy machine, so you almost always want to add filters. I rarely run the tcpdump command without at least one filter flag.
2. Filter by Host with tcpdump command
When you are troubleshooting a specific server or service, you want to see only traffic to or from that machine. The host filter makes that simple:
sudo tcpdump -i eth0 host 192.168.1.100You can also use src host or dst host to narrow it down further:
sudo tcpdump -i eth0 src host 192.168.1.100
sudo tcpdump -i eth0 dst host 10.0.0.5I use the src/dst variants a lot when tracking down which machine is sending unexpected traffic. It cuts the noise down fast.
3. Filter by Port with tcpdump command
Filtering by port is probably the most common way I use tcpdump. If you want to see only HTTP or HTTPS traffic, target ports 80 and 443:
sudo tcpdump -i eth0 port 80
sudo tcpdump -i eth0 port 443You can combine port and host filters to watch traffic to a specific service on a specific server:
sudo tcpdump -i eth0 host 10.0.0.5 and port 3306That example shows only MySQL traffic (port 3306) going to or from a database server. It cuts out everything else. When a web application is slow and you suspect the database, this filter gives you an immediate look at what is happening.
4. Save Captures to a File with tcpdump command
Live output is useful, but most real work happens offline. Tcpdump can write captured packets to a file that you can analyze later or share with a colleague:
sudo tcpdump -i eth0 -w capture.pcapThe -w flag writes to a pcap file. This is the standard format that Wireshark, tshark, and other tools read. You can let it run for a few minutes, stop it, and then inspect the results methodically instead of watching packets fly by in real time.
Use -C to split captures into multiple files of a specific size:
sudo tcpdump -i eth0 -w capture.pcap -C 100That creates 100MB chunks named capture.pcap, capture.pcap1, capture.pcap2 and so on. Handy for long captures where one file would grow too big.
5. Read Capture Files with tcpdump command
Reading a saved capture is just as easy as writing one. You use -r instead of -i:
tcpdump -r capture.pcapYou can apply any filter to a saved capture just like you would to live traffic. This is where tcpdump really shines. Capture everything first, then filter later. You never miss something because you set the wrong filter upfront.
tcpdump -r capture.pcap host 10.0.0.5 and port 22That reads the capture file but only shows SSH traffic to or from 10.0.0.5. All the other packets in the file stay hidden.
6. Filter by Protocol with tcpdump command
Sometimes you need to isolate traffic by protocol, not just host or port. Tcpdump understands common protocol names:
sudo tcpdump -i eth0 icmp
sudo tcpdump -i eth0 arp
sudo tcpdump -i eth0 udpThe ICMP filter is useful for checking if ping packets are actually reaching a machine. The ARP filter helps when you suspect IP conflicts or layer 2 issues. These protocol filters work well combined with other conditions:
sudo tcpdump -i eth0 icmp and host 192.168.1.17. Limit Packet Count with tcpdump command
When you only need to see a handful of packets, use the -c flag. Tcpdump will stop automatically after capturing that many packets:
sudo tcpdump -i eth0 -c 10 port 53This captures 10 DNS packets and exits. I use this constantly when I want a quick sample without manually hitting Ctrl+C. It also works great in scripts. You can run a capture, grab N packets, and process the output without worrying about an infinite loop.
8. Display Packet Contents in ASCII
The default tcpdump output shows headers but not the packet payload. To see the actual data being sent, use -A for ASCII or -X for hex and ASCII:
sudo tcpdump -i eth0 -A port 80
sudo tcpdump -i eth0 -X port 443The -A flag prints each packet’s payload in plain text. Good for inspecting HTTP requests and responses. The -X flag gives you a hex dump alongside the ASCII, which is useful when you need to see raw bytes. I use the tcpdump command with -A when debugging web APIs and -X when looking at custom protocols or encrypted handshakes.
9. Capture DNS Traffic with tcpdump command
DNS issues are incredibly common and often hard to diagnose. The port 53 filter gives you a direct view of every DNS query and response on your network:
sudo tcpdump -i eth0 -n port 53The -n flag prevents tcpdump from resolving hostnames. You want this because DNS resolution itself creates network traffic that pollutes your capture. With this command you can see exactly which domains each machine is querying, how long the responses take, and whether any queries are failing.
I once used this to catch a misconfigured Pi-hole that was dropping all NXDOMAIN responses. The issue was invisible to ping and curl, but tcpdump showed the DNS server returning results and the Pi-hole silently swallowing them.
10. Advanced Filter Combinations with tcpdump command
Tcpdump supports complex Boolean expressions that let you build surgical filters. You can combine host, port, protocol, and even packet flags in a single command:
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0 and port 22'That filter shows only SYN packets on SSH port 22, which are the start of new SSH connections. It hides the established connection traffic. This kind of raw flag filtering is useful when you are investigating port scans or connection floods.
Here is a simpler practical example that shows TCP resets, often a sign of connection problems:
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'TCP RST packets mean a connection was dropped abruptly. Seeing a lot of them from one IP usually points to a firewall rule or a service that is refusing connections.
Wrapping Up
Tcpdump is one of those tools that looks intimidating until you start using it regularly. The basics are simple: pick an interface, set a filter, and look at the packets. Everything else builds on that foundation.
If you work with network security or Linux administration, tcpdump should be in your daily toolkit. Pair it with Nmap for network discovery and Wazuh for security monitoring to build a solid foundation for understanding what is happening on your network. I also recommend checking out SQLMap for web application testing if you are interested in the security side of things.
For more advanced reading, the official tcpdump man page is thorough and well written. The HackerTarget tcpdump examples page has 22 practical commands worth bookmarking. The Red Hat guide to the tcpdump command is another solid resource that covers troubleshooting workflows.