tcpdump Command: Tutorial & Examples
A tool for network diagnostics
tcpdump command is a powerful tool for network diagnostics and data traffic analysis.
This command-line utility allows you to capture and analyze network traffic going in and out of your system.
tcpdump works is vital for diagnosing network failures and other
complex network issues. It is also invaluable for security audits, as it can reveal suspicious activity on your network.
tcpdump works by putting the network interface card (NIC) into promiscuous mode. In this mode, the
NIC passes all traffic it receives to the CPU rather than just the packets intended for it.
uses a packet capture library to capture the network packets that your system is receiving or
Network problems can be tricky to diagnose.
tcpdump allows you to see the network packets in real time or from a saved
capture file. This insight can be vital when troubleshooting complex network issues, such as a slow network connection
or network failure.
Here are some examples of how to use the
tcpdump -i eth0
This command will start capturing all packets on the
tcpdump -i eth0 -w /tmp/capture.pcap
-w option allows you to write the packet data to a file for later analysis.
tcpdump -r /tmp/capture.pcap
You can read from a capture file using the
tcpdump -i eth0 port 80
To filter the traffic by port number, simply specify the port after the interface.
Typical output of
A typical output of
tcpdump might look something like this:
14:23:45.678901 IP 192.0.2.1.12345 > 203.0.113.1.80: Flags [.], seq 54321:54361, ack 1, win 512, length 40
This output shows a packet sent from IP
12345, to IP
80. The flags indicate
the control bits set in the TCP header (e.g., SYN, ACK), and the sequence number, acknowledgement number, and window
size are also displayed.
tcpdump command is a powerful and flexible network tool that every Linux system administrator should be familiar
with. Its ability to capture and analyze network traffic can be invaluable when diagnosing network issues or performing