tcpdump Examples

• Basic Filtering (Interface, Host, Network selection)
  • Dump all traffic on any interface
  • Filter by interface
  • Filter by host
  • Filter by source host
  • Filter by destination host
  • Filter by network or subnet
  • Filter by source network or subnet
  • Filter by source network, and destination host
• Port Level Filtering
  • Filter by port
  • Filter by named port
  • Dump DHCP traffic
• Conclusion

Sometimes when you’re troubleshooting network applications, it’s nice to be able to just reach in and see exactly what is being sent or received on the interface.

I’ve used tcpdump to debug firewall issues, reverse engineer proprietary protocols, watch DHCP traffic, and countless other things. I figured it was high time to keep a running list of examples so I can save myself some googling. Further, you can benefit from my examples and learn more about tcpdump and networking in general.

Basically, tcpdump lets you filter and inspect traffic. There are plenty of ways to filter, which is what makes tcpdump so powerful.

Basic Filtering (Interface, Host, Network selection)

Dump all traffic on any interface

tcpdump -i any

Filter by interface

You’ll likely be quickly overwhelmed, so we’ll want to add some options and filters to focus in on what we want. First, let’s stick to one interface.

tcpdump -i eth0

Filter by host

That’s probably not going to do much to stem the tide, so let’s take it further. Say we only wanted to see traffic between our host, and another host on the LAN called zippy:

tcpdump -i eth0 host zippy

Filter by source host

Now I’ll only see traffic going to or from zippy on my eth0 interface. I know my packets are hitting zippy, but I don’t seem to get a response, so I’ll filter just for packets coming from zippy:

tcpdump -i eth0 src zippy

Filter by destination host

My roommate is kind of a stickler about troubleshooting and begged me to confirm that the packets are actually getting sent to zippy, as I contend above. I decided to humor him, filtering only for packets going to zippy:

tcpdump -i eth0 dst zippy

One could ask why we didn’t just use host and look at the traffic, but then we wouldn’t have been able to teach you about src and dst.

Filter by network or subnet

But what if we wanted to look at all of the host on the LAN, but nothing else going out or coming in from the Internet?

tcpdump -i eth0 net 192.168.1.1/24

Filter by source network or subnet

With the net primitive I can reference multiple hosts at once. There are accompanying src net and dst net primitives too:

tcpdump -i eth0 src net 192.168.1.1/24

Technically, src and dst are equivalent to src host and dst host

Filter by source network, and destination host

tcpdump -i eth0 src net 192.168.1.1/24 and dst google.com

Port Level Filtering

Filter by port

So, now that you have the hang of hosts and networks, let’s dig in a bit deeper. Maybe we only want to see SSH traffic:

tcpdump -i eth0 port 22

Filter by named port

Note, you can also refer to ports by their names from /etc/services

tcpdump -i eth0 port ssh

Dump DHCP traffic

Maybe we want to monitor DHCP traffic:

tcpdump -i eth0 port 67 or 68

# or jack up the verbosity and print out details:

tcpdump -i eth0 -vvv -s 1500 '(port 67 or 68)'

Conclusion

tcpdump is great tool to have in your networking toolbox. It runs on Linux and Mac OS X (and probably Windows w/ Cygwin), so you’ll generally always be able to get your hands on it when you need. If you can’t, the PCAP filtering syntax above is used by countless other tools, including Wireshark, which is also available on many platforms.

I’ll likely add to this article in the future, but this is it as of September, 2020.