Linux Commands

Tcpdump command examples and tutorial

If your work mostly depends upon the internet, then having network issues is very common. Resolving and troubleshooting these network issues is a challenging task. In such a situation “tcpdump” tool gets into the game.

The “tcpdump” is a packet analyzer and used to diagnose and analyze network issues. It captures the network traffic going through your device and looks over it. The “tcpdump” tool is a powerful tool to troubleshoot network issues. It comes with many options, which makes it a versatile command-line utility to fix network issues.

This post is a detailed guide about the “tcpdump” utility that includes its installation, common features, and usage with different options. Let’s start with the installation:

How to install “tcpdump”:

In many distributions, the “tcpdump” comes out of the box, and to check it, use:

$which tcpdump

If it is not found in your distribution, then install it using:

$sudo apt install tcpdump

The above command will be used for Debian-based distributions such as Ubuntu and LinuxMint. For “Redhat” and “CentOS,” use:

$sudo dnf install tcpdump

How to capture packets with tcpdump:

Various interfaces can be used to capture packets. To get a list of interfaces, use:

$sudo tcpdump -D

Or simply use “any” with the “tcpdump” command to get packets from the active interface. To begin packet capturing use:

$sudo tcpdump --interface any

The above command is tracing packets from all the active interfaces. The packets will continuously be grabbed until it gets an interruption from the user (ctrl-c).

We can also limit the number of packets to be captured using the “-c” flag that signifies the “count.” To capture 3 packets, use:

$sudo tcpdump -i any -c3

The above command is useful to filter a specific packet. Moreover, troubleshooting the connectivity issues requires only a few initial packets to be captured.

The “tcpdump” command captures packets with IP and port names by default but to clean-up, the mess and make the output easier to understand; the names can be disabled using “-n” and “-nn” for the port option:

$sudo tcpdump -i any -c3 -nn

As shown in the above output, the IP and port names have been taken out.

How to understand information about a captured packet:

To learn about the various fields of a captured packet, let’s take an example of a TCP packet:

A packet can have various fields, but the general ones are displayed above. The first field, “09:48:18.960683,” represents a time when the packet is received. Next comes IP addresses; the first IP [] is the source IP and the second IP [] is the destination IP. Then you will get the flag [P.]; a list of typical flags are given below:

Flag Type Description
“.” ACK Signifies acknowledgment
S SYN Flag for starting a connection
F FIN Flag for a closed connection
P PUSH Indicates the push of data from the sender
R RST Connection Reset

And next comes sequence number “seq 185:255”. The client and server both use the 32-bit sequence number to maintain and monitor data.

The “ack” is a flag; if it is 1, that means the acknowledgment number is valid, and the receiver expects the next byte.

The window number indicates the buffer size. “win 65535” means the amount of data that can be buffered.

And in the end comes the length [70] of the packet in bytes which is a difference of “185:255”.

Filtering packets to fix the network issues:

The “tcpdump” tool captures hundreds of packets, and most of them are of less importance which makes it much complex to get the desired information for troubleshooting. In this case, the filtering will play its role. For instance, while troubleshooting if you are not interested in a particular type of traffic, you can filter it using “tcpdump,” which comes with filtering packets according to the IP addresses, ports, and protocols.

How to capture a packet using hostname with tcpdump command:

To get the packet from a specific host only, use:

$sudo tcpdump -i any -c4 host

If you want to get only one-way traffic, then use “src” and “dst” options in the place of “host.”

How to capture a packet using port number with tcpdump command:

To filter packets with the port number, use:

$sudo tcpdump -i any -c3 -nn port 443

The “443” is the HTTPS port number.

How to capture a packet using the protocol with tcpdump command:

With the “tcpdump” command, you can filter packets according to any protocol such as udp, icmp, arp, etc. Simply type the protocol name:

$sudo tcpdump -i any -c6 udp

The above commands will only capture packets that belong to the “udp” protocol.

How to combine filtering options using logical operators:

Different filtering options can be combined using logical operators like “and/or”:

$sudo tcpdump -i any -c6 -nn host and port 443

How to store captured data:

The grabbed data can be saved to a file to monitor it later, and for that “-w” option will be used, and “w” signifies “write”:

$sudo tcpdump -i any -c5 -w packetData.pcap

The extension of the file would be “.pcap,” which stands for “packet capture.” Once the capturing is done, the file would be saved in your local drive. This file cannot be opened or read using any text editor program. To read it, use the “-r” flag with “tcpdump”:

$tcpdump -r packetData.pcap


The “tcpdump” is a valuable and flexible tool to capture and analyze network traffic to troubleshoot network problems. This guide’s point of attention is to learn the basic and advanced usage of the “tcpdump” command-line utility. But if you find it difficult, then there is a less complex GUI-based program called “Wireshark,” which does pretty much the same job but with various additional features.

About the author

Sam U

I am a professional graphics designer with over 6 years of experience. Currently doing research in virtual reality, augmented reality and mixed reality.
I hardly watch movies but love to read tech related books and articles.