With the Linux command tcpdump you can analyse packets sent within your network. Numerous options and filters can be used to further optimise this analysis.

What is Linux tcpdump?

For analysing your network traffic on Linux and possibly fixing network problems, tcpdump is a valuable option. The command line program is pre-installed on almost all common Linux dis­tri­bu­tions e.g. Debian or Ubuntu, and transmits in­form­a­tion about data packets sent or received on your network. Despite its name, Linux tcpdump is not only suitable for TCP packets, but can also analyse UDP and ICMP packets. To use the command, however, you need root priv­ileges.

How does the tcpdump command work?

The analysis performed by tcpdump is commonly referred to as ‘sniffing’. With the Linux tcpdump command, you can specify the network interface for the program to monitor. To customise and optimise the process, tcpdump offers a wide range of filters. The command is executed on the command line, and the resulting analysis is displayed ac­cord­ingly.

What is the syntax of tcpdump?

The syntax of Linux tcpdump is very simple and looks like this:

$ tcpdump [Options] [Filter]
bash

While spe­cify­ing options isn’t mandatory, it’s re­com­men­ded to ensure tcpdump considers the correct network interface. Ad­di­tion­ally, using filters is optional but highly be­ne­fi­cial. Without filters, tcpdump analyses all packets from all hosts, which can quickly become over­whelm­ing and confusing.

What are the options and filters of the Linux tcpdump command?

There are numerous options and filters for tcpdump. The most important ones are:

  • -A: Outputs the content of a packet as ASCII.
  • -c [Quantity]: tcpdump is auto­mat­ic­ally ter­min­ated when a certain number of packets have been analysed.
  • -D: With this option all available in­ter­faces are listed.
  • -i [Interface]: With this option you determine which interface is to be recorded.
  • -s [Quantity]: This option de­term­ines how many bytes are to be recorded per packet.

You can use these filters for tcpdump:

  • dst: Only packets whose des­tin­a­tion has the specified value are parsed. This can be host, net, port or portrange.
  • host: The filter ensures that only packets are taken into account that have a specific IP address or al­tern­at­ively a specific host name as source or des­tin­a­tion.
  • net: This filter only considers packets that have an IP address from a specified network range as source or des­tin­a­tion.
  • port: Use this filter to specify a specific port between 0 and 65535 to be analysed ex­clus­ively.
  • portrange: This filter contains a port range between 0 and 65535.
  • proto: This filter considers only packets with a specific network protocol. The filter can have the following values: arp, decnet, ether, fddi, ip, ip6, rarp, tcp, udp or wlan.
  • src: To analyse packets based on specific criteria such as host, network, port, or port range.

Examples for using the tcpdump command

Finally, we’ll show you how to use tcpdump. In our examples, we use the Linux sudo command.

$ sudo tcpdump -D
bash

Check which network in­ter­faces are available.

$ sudo tcpdump -i wlx14a3c782966b
bash

Analyse only the interface with the specified name.

$ sudo tcpdump -c 5 -i wlx14a3c782966b
bash

By doing this, you cause tcpdump to include only five packets.

Go to Main Menu