How to use the Linux tcpdump command

With the Linux command tcpdump you can analyse packets sent within your network. Numerous options and filters can be used to further optimise this analysis.

What is Linux tcpdump?

For analysing your network traffic on Linux and possibly fixing network problems, tcpdump is a valuable option. The command line program is pre-installed on almost all common Linux distributions e.g. Debian or Ubuntu, and transmits information about data packets sent or received on your network. Despite its name, Linux tcpdump is not only suitable for TCP packets, but can also analyse UDP and ICMP packets. To use the command, however, you need root privileges.

How does the tcpdump command work?

The analysis performed by tcpdump is commonly referred to as ‘sniffing’. With the Linux tcpdump command, you can specify the network interface for the program to monitor. To customise and optimise the process, tcpdump offers a wide range of filters. The command is executed on the command line, and the resulting analysis is displayed accordingly.

What is the syntax of tcpdump?

The syntax of Linux tcpdump is very simple and looks like this:

$ tcpdump [Options] [Filter]
bash

While specifying options isn’t mandatory, it’s recommended to ensure tcpdump considers the correct network interface. Additionally, using filters is optional but highly beneficial. Without filters, tcpdump analyses all packets from all hosts, which can quickly become overwhelming and confusing.

What are the options and filters of the Linux tcpdump command?

There are numerous options and filters for tcpdump. The most important ones are:

  • -A: Outputs the content of a packet as ASCII.
  • -c [Quantity]: tcpdump is automatically terminated when a certain number of packets have been analysed.
  • -D: With this option all available interfaces are listed.
  • -i [Interface]: With this option you determine which interface is to be recorded.
  • -s [Quantity]: This option determines how many bytes are to be recorded per packet.

You can use these filters for tcpdump:

  • dst: Only packets whose destination has the specified value are parsed. This can be host, net, port or portrange.
  • host: The filter ensures that only packets are taken into account that have a specific IP address or alternatively a specific host name as source or destination.
  • net: This filter only considers packets that have an IP address from a specified network range as source or destination.
  • port: Use this filter to specify a specific port between 0 and 65535 to be analysed exclusively.
  • portrange: This filter contains a port range between 0 and 65535.
  • proto: This filter considers only packets with a specific network protocol. The filter can have the following values: arp, decnet, ether, fddi, ip, ip6, rarp, tcp, udp or wlan.
  • src: To analyse packets based on specific criteria such as host, network, port, or port range.

Examples for using the tcpdump command

Finally, we’ll show you how to use tcpdump. In our examples, we use the Linux sudo command.

$ sudo tcpdump -D
bash

Check which network interfaces are available.

$ sudo tcpdump -i wlx14a3c782966b
bash

Analyse only the interface with the specified name.

$ sudo tcpdump -c 5 -i wlx14a3c782966b
bash

By doing this, you cause tcpdump to include only five packets.