- Basic Filtering (Interface, Host, Network selection)
- Port Level Filtering
Sometimes when you’re troubleshooting network applications, it’s nice to be able to just reach in and see exactly what is being sent or received on the interface.
tcpdump to debug firewall issues, reverse engineer proprietary protocols, watch DHCP traffic, and countless other things. I figured it was high time to keep a running list of examples so I can save myself some googling. Further, you can benefit from my examples and learn more about tcpdump and networking in general.
tcpdump lets you filter and inspect traffic. There are plenty of ways to filter, which is what makes
tcpdump so powerful.
Basic Filtering (Interface, Host, Network selection)
Dump all traffic on any interface
tcpdump -i any
Filter by interface
You’ll likely be quickly overwhelmed, so we’ll want to add some options and filters to focus in on what we want. First, let’s stick to one interface.
tcpdump -i eth0
Filter by host
That’s probably not going to do much to stem the tide, so let’s take it further. Say we only wanted to see traffic between our host, and another host on the LAN called
tcpdump -i eth0 host zippy
Filter by source host
Now I’ll only see traffic going to or from
zippy on my
eth0 interface. I know my packets are hitting
zippy, but I don’t seem to get a response, so I’ll filter just for packets coming from
tcpdump -i eth0 src zippy
Filter by destination host
My roommate is kind of a stickler about troubleshooting and begged me to confirm that the packets are actually getting sent to
zippy, as I contend above. I decided to humor him, filtering only for packets going to zippy:
tcpdump -i eth0 dst zippy
One could ask why we didn’t just use
host and look at the traffic, but then we wouldn’t have been able to teach you about
Filter by network or subnet
But what if we wanted to look at all of the host on the LAN, but nothing else going out or coming in from the Internet?
tcpdump -i eth0 net 192.168.1.1/24
Filter by source network or subnet
net primitive I can reference multiple hosts at once. There are accompanying
src net and
dst net primitives too:
tcpdump -i eth0 src net 192.168.1.1/24
dst are equivalent to
src host and
Filter by source network, and destination host
tcpdump -i eth0 src net 192.168.1.1/24 and dst google.com
Port Level Filtering
Filter by port
So, now that you have the hang of hosts and networks, let’s dig in a bit deeper. Maybe we only want to see SSH traffic:
tcpdump -i eth0 port 22
Filter by named port
Note, you can also refer to ports by their names from /etc/services
tcpdump -i eth0 port ssh
Dump DHCP traffic
Maybe we want to monitor DHCP traffic:
tcpdump -i eth0 port 67 or 68
# or jack up the verbosity and print out details:
tcpdump -i eth0 -vvv -s 1500 '(port 67 or 68)'
tcpdump is great tool to have in your networking toolbox. It runs on Linux and Mac OS X (and probably Windows w/ Cygwin), so you’ll generally always be able to get your hands on it when you need. If you can’t, the PCAP filtering syntax above is used by countless other tools, including Wireshark, which is also available on many platforms.
I’ll likely add to this article in the future, but this is it as of September, 2020.