tcpdump Examples – 55 Commands for Network Packet Analysis

tcpdump examples showcase the power of command-line packet analysis for network professionals. This comprehensive guide demonstrates 55 practical commands for capturing and analysing network traffic, from basic packet capture to advanced filtering techniques used by hackers, cybersecurity professionals and network administrators alike.

Understanding tcpdump Fundamentals

tcpdump serves as the premier command-line packet analyser for Unix-like systems. Network administrators and security professionals rely on these tcpdump examples to capture and inspect network traffic in real-time. Whether you’re troubleshooting connectivity issues, monitoring security threats, or analysing application behaviour, mastering tcpdump examples proves invaluable for technical roles.

The beauty of tcpdump lies in its combination of power and simplicity. Unlike graphical tools like nmap, tcpdump operates entirely from the command line, making it perfect for remote administration and automated monitoring scripts. This lightweight approach allows you to analyse network traffic on systems with minimal resources.

Basic Syntax and Structure

Every tcpdump command follows a consistent pattern that makes learning the tool straightforward:

tcpdump [options] [expression]

The options modify tcpdump’s behaviour, such as specifying which network interface to monitor or determining the output format. Expressions define what type of traffic to capture, allowing you to specify hostnames, IP addresses, ports, protocols, and other filtering criteria.

Before diving into specific examples, understanding how to identify available network interfaces helps ensure you’re monitoring the correct traffic:

tcpdump -D

This command lists all available network interfaces on your system, displaying both their names and descriptions.

Essential Traffic Capture Techniques

Capturing Traffic on Specific Interfaces

To monitor all traffic on a particular interface, use the -i flag followed by the interface name:

tcpdump -i eth0

For wireless interfaces, simply substitute the appropriate interface name:

tcpdump -i wlan0

Host-Based Traffic Filtering

Capturing traffic to or from specific hosts forms the foundation of targeted network analysis. Use the host keyword to monitor all traffic associated with a particular IP address or hostname:

tcpdump host 192.168.1.100

This captures both incoming and outgoing traffic for the specified host. For domain names, tcpdump automatically resolves them to IP addresses:

tcpdump host example.com

Port-Specific Traffic Monitoring

Network services operate on specific ports, making port-based filtering essential for application troubleshooting. Monitor traffic on any port using:

tcpdump port 80

Common ports you’ll frequently monitor include:

• Port 80 (HTTP)
• Port 443 (HTTPS)
• Port 22 (SSH)
• Port 21 (FTP)
• Port 25 (SMTP)
• Port 53 (DNS)

Advanced Filtering Capabilities

Combining Multiple Filters

tcpdump examples become more powerful when combining filters using logical operators. The and, or, and not operators enable precise traffic isolation:

tcpdump host 192.168.1.100 and port 80

For more complex scenarios, use parentheses to group conditions:

tcpdump src host 192.168.1.100 and \( port 80 or port 443 \)

Protocol-Based Filtering

Filter traffic by protocol to focus on specific types of network communication:

tcpdump tcp
tcpdump udp
tcpdump icmp

Directional Traffic Analysis

Understanding traffic flow direction helps identify communication patterns. Use src and dst keywords to filter by source or destination:

tcpdump src host 192.168.1.100
tcpdump dst port 443

Network Range Filtering

Monitor entire network segments using CIDR notation:

tcpdump net 192.168.1.0/24

This captures all traffic within the specified network range, useful for monitoring subnet-wide activity.

File Operations and Output Management

Saving Captured Traffic

Preserve network captures for later analysis using the -w flag:

tcpdump -w capture.pcap -i eth0

Saved capture files can be analysed later using tcpdump or imported into graphical tools like Wireshark for detailed inspection.

Reading Saved Captures

Analyse previously captured traffic using the -r flag:

tcpdump -r capture.pcap

Controlling Output Verbosity

Adjust the level of detail in tcpdump output using verbosity flags:

• -v: Verbose output
• -vv: More verbose output
• -vvv: Maximum verbosity

tcpdump -vv -i eth0

55 Practical tcpdump Examples

Here are 55 essential tcpdump examples for various network analysis scenarios:

Basic Interface Monitoring

1. tcpdump -i eth0 – Capture all traffic on eth0
2. tcpdump -i wlan0 – Capture all traffic on wlan0
3. tcpdump -i any – Capture traffic on all interfaces

Host-Based Filtering

4. tcpdump host 192.168.1.100 – Traffic to/from specific IP
5. tcpdump host example.com – Traffic to/from domain name
6. tcpdump not host 192.168.1.100 – Exclude specific host

Port-Based Filtering

7. tcpdump port 80 – HTTP traffic
8. tcpdump port 443 – HTTPS traffic
9. tcpdump port 22 – SSH traffic
10. tcpdump port 21 – FTP traffic
11. tcpdump port 25 – SMTP traffic
12. tcpdump port 53 – DNS traffic
13. tcpdump portrange 80-443 – Traffic in port range

Directional Filtering

14. tcpdump src host 192.168.1.100 – Traffic from specific host
15. tcpdump dst host 192.168.1.100 – Traffic to specific host
16. tcpdump src port 80 – Traffic from port 80
17. tcpdump dst port 443 – Traffic to port 443
18. tcpdump src portrange 1024-5000 – Traffic from port range

Protocol Filtering

19. tcpdump tcp – All TCP traffic
20. tcpdump udp – All UDP traffic
21. tcpdump icmp – All ICMP traffic
22. tcpdump arp – All ARP traffic

Network Range Filtering

23. tcpdump net 192.168.1.0/24 – Traffic within network
24. tcpdump src net 192.168.1.0/24 – Traffic from network
25. tcpdump dst net 192.168.1.0/24 – Traffic to network
26. tcpdump not net 192.168.1.0/24 – Traffic outside network

Combined Filters

27. tcpdump dst host 192.168.1.100 and dst port 80 – Specific host and port
28. tcpdump src host 192.168.1.100 and src port 443 – Source host and port
29. tcpdump host 192.168.1.100 and \( port 80 or port 443 \) – Host with multiple ports
30. tcpdump tcp and src net 192.168.1.0/24 and dst port 22 – Complex combination

Exclusion Filters

31. tcpdump not icmp – All traffic except ICMP
32. tcpdump not port 80 – All traffic except port 80
33. tcpdump not src host 192.168.1.100 – Exclude source host

TCP Flag Filtering

34. tcpdump 'tcp[tcpflags] & tcp-syn != 0' – SYN packets
35. tcpdump 'tcp[tcpflags] & tcp-ack != 0' – ACK packets
36. tcpdump 'tcp[tcpflags] & tcp-rst != 0' – RST packets
37. tcpdump 'tcp[tcpflags] & tcp-fin != 0' – FIN packets
38. tcpdump 'tcp[tcpflags] & tcp-urg != 0' – URG packets
39. tcpdump 'tcp[tcpflags] & tcp-push != 0' – PSH packets
40. tcpdump 'tcp[tcpflags] = 0x01' – Only SYN flag
41. tcpdump 'tcp[tcpflags] = 0x00' – No flags set
42. tcpdump 'tcp[tcpflags] = 0x12' – SYN-ACK packets
43. tcpdump 'tcp[tcpflags] = 0x14' – RST-ACK packets
44. tcpdump 'tcp[tcpflags] = 0x11' – FIN-ACK packets
45. tcpdump 'tcp[tcpflags] = 0x18' – PSH-ACK packets

Advanced IP Filtering

46. tcpdump 'ip[6:2] & 0x1fff != 0' – Fragmented packets
47. tcpdump 'ip[8] = 128' – Specific TTL value
48. tcpdump 'ip[1] & 0xfc >> 2 = 46' – DSCP value
49. tcpdump 'ip[1] & 0x03 = 3' – ECN bits
50. tcpdump 'ip[9] = 6' – TCP protocol packets

TCP Sequence Analysis

46. tcpdump 'tcp[4:4] = 12345678' – Specific sequence number
47. tcpdump 'tcp[8:4] = 87654321' – Specific acknowledgment number

Port Range Filtering

48. tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536' – Source port range
49. tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536' – Destination port range

Additional Examples

50. tcpdump -n host 192.168.1.100 – Disable name resolution
51. tcpdump -s 0 -i eth0 – Capture full packet length
52. tcpdump -c 100 -i eth0 – Capture only 100 packets
53. tcpdump -A -i eth0 – Display packet contents in ASCII
54. tcpdump -X -i eth0 – Display packet contents in hex and ASCII
55. tcpdump -e -i eth0 – Show link-level header information

Optimising Network Analysis Workflow

tcpdump examples work best when incorporated into a systematic workflow. Consider these best practices:

Performance Considerations: When capturing high-volume traffic, write directly to disk using the -w flag rather than displaying packets in real-time. This prevents packet loss during intensive capture sessions.

Security Analysis: Combine tcpdump with other tools for comprehensive security monitoring. Export captures to Wireshark for detailed protocol analysis or integrate with intrusion detection systems for automated threat detection.

Troubleshooting Methodology: Start with broad filters and progressively narrow your focus. Begin by capturing all traffic on an interface, then filter by host, port, or protocol as you identify patterns.

Documentation: Always document your capture filters and analysis findings. Include timestamps, filter expressions, and observed behaviours for future reference.

Advanced Techniques for Network Professionals

Berkeley Packet Filter Syntax

Master tcpdump commands at an advanced level by understanding Berkeley Packet Filter (BPF) syntax. This enables precise packet matching based on any field within the protocol headers:

tcpdump 'tcp[20:2] = 0x4745' -A

This example captures HTTP GET requests by matching the ASCII values at specific TCP payload offsets.

Performance Tuning

Optimise capture performance for high-speed networks:

• Use -B to increase buffer size
• Apply filters at capture time to reduce processing overhead
• Consider using -n to disable DNS lookups during capture

Integration with Analysis Tools

Export tcpdump data for advanced analysis:

• Convert to various formats using editcap
• Stream to analysis tools using pipes
• Integrate with log management systems for correlation

Conclusion

Mastering tcpdump examples empowers network professionals to diagnose issues quickly, monitor security threats effectively, and understand network behaviour comprehensively. These 55 practical tcpdump examples provide a solid foundation for network packet analysis, from basic traffic capture to advanced filtering techniques.

Regular practice with tcpdump enhances your ability to troubleshoot complex network issues and identify security anomalies. As networks grow increasingly complex, proficiency with command-line packet analysis tools becomes ever more valuable for maintaining robust and secure network infrastructure.

Remember that tcpdump represents just one tool in the network analyst’s toolkit. Combine it with other monitoring and analysis tools just nmap to build a comprehensive understanding of your network environment. Continue exploring advanced filtering techniques and protocol analysis to expand your network troubleshooting capabilities.