Sometimes when you’re troubleshooting network applications, it’s nice to be able to just reach in and see exactly what is being sent or received on the interface.

I’ve used tcdump to debug firewall issues, reverse engineer proprietary protocols, watch DHCP traffic, and countless other things. I figured it was high time to keep a running list of examples so I can save myself some googling. Further, you can benefit from my examples and learn more about tcpdump and networking in general.

Basically, tcpdump lets you filter and inspect traffic. There are plenty of ways to filter, which is what makes tcpdump so powerful.

Getting started (Interface, Host, Network selection)

If we just wanted the very basic, we could dump all traffic on any interface:

tcpdump -i any

You’ll likely be quickly overwhelmed, so we’ll want to add some options and filters to focus in on what we want. First, let’s stick to one interface.

tcpdump -i eth0

That’s probably not going to do much to stem the tide, so let’s take it further. Say we only wanted to see traffic between our host, and another host on the LAN called zippy:

tcpdump -i eth0 host zippy

Now I’ll only see traffic going to or from zippy on my eth0 interface. I know my packets are hitting zippy, but I don’t seem to get a response, so I’ll filter just for packets coming from zippy:

tcpdump -i eth0 src zippy

My roommate is kind of a stickler about troubleshooting and begged me to confirm that the packets are actually getting setn to zippy, as I contend above. I decided to humor him, filtering only for packets going to zippy:

tcpdump -i eth0 dst zippy

One could ask why we didn’t just use host and look at the traffic, but then we wouldn’t have been able to teach you about src and dst.

But what if we wanted to look at all of the host on the LAN, but nothing else going out or coming in from the Internet?

tcpdump -i eth0 net 192.168.1.1/24

With the net primitive I can reference multiple hosts at once. There are accompanying src net and dst net primitives too:

tcpdump -i eth0 src net 192.168.1.1/24

Technically, src and dst are equivalent to src host and dst host

What if we want to track traffic from the LAN to a specific Internet host?

tcpdump -i eth0 src net 192.168.1.1/24 and dst google.com

Moving Up (Ports)

So, now that you have the hang of hosts and networks, let’s dig in a bit deeper. Maybe we only want to see SSH traffic:

tcpdump -i eth0 port 22

Note, you can also refer to ports by their names from /etc/services

tcpdump -i eth0 port ssh

Maybe we want to monitor DHCP traffic:

tcpdump -i eth0 port 67 or 68

# or jack up the verbosity and print out details:

tcpdump -i eth0 -vvv -s 1500 '(port 67 or 68)'

Conclusion

tcpdump is great tool to have in your networking toolbox. It runs on Linux and Mac OS X (and probably Windows w/ Cygwin), so you’ll generally always be able to get your hands on it when you need. If you can’t, the PCAP filtering syntax above is used by countless other tools, including Wireshark, which is also available on many platforms.

I’ll likely add to this article in the future, but this is it as of September, 2020.