Useful tcpdump commands and examples

Packet sniffing/capturing is a troubleshooting tool that many system and network engineers use for troubleshooting. If you're like me who uses Linux a lot, tcpdump is a useful tool that you can use. In this tutorial, I'm listing a couple of frequently used tcpdump commands  that I use. I'll keep adding additional interesting commands that I stumble upon over time.

Installing tcpdump


# yum install tcpdump
# apt-get install tcpdump


tcpdump requires root privileges. Please use a privileged user, or use sudo where applicable.

Running tcpdump and listening on all network interfaces
# tcpdump
Listening on a specific network interface
# tcpdump -i eth0
All my examples have  '-i eth0' parameter because I'm used to it. You could choose not to use this parameter depending on your use case, for example if you have only one NIC in the server.

Write packet capture to Wireshark compatible file
# tcpdump -i eth0 -w /location/filename.pcap
Capturing a specific port
# tcpdump -i eth0 port 80
Capturing DNS traffic
# tcpdump -i eth0 udp port 53
Capturing all traffic except SSH
# tcpdump -i eth0 port not 22
Capturing ICMP traffic
# tcpdump -i eth0 icmp
Combining multiple filters with AND/OR
# tcpdump -i eth0 port 80 or port 443
# tcpdump -i eth0 port 80 or port 443 and host IP.ADDR.OF.HOST
Excluding specific hosts or ports
# tcpdump -i eth0 port not 22
# tcpdump -i eth0 host not IP.ADDR.0F.HOST
# tcpdump -i eth0 host IP.ADDR.OF.HOST and port not 22

Hope this helps.