Adjacent Node
Networking, explained. No BS.

tcpdump

Printer friendly

What It Is

tcpdump captures and reads packets from the command line using libpcap capture filters. It is best for fast remote troubleshooting, low-overhead captures, and collecting evidence before opening the capture in Wireshark. Use tcpdump to narrow the capture at the source, then use Wireshark or tshark when you need deeper protocol dissection.

Core Options

Option Use Notes
-D List capture interfaces Start here when interface names are unclear
-i <iface> Select interface Linux may support any; behavior varies by platform
-n Do not resolve names Avoid DNS noise and delays
-nn Do not resolve names or ports Good default for troubleshooting
-e Show link-layer headers Useful for MAC, VLAN, and ARP work
-v, -vv, -vvv Increase verbosity More protocol detail
-c <count> Stop after count packets Useful for quick samples
-s <snaplen> Set capture length Use -s 0 for full packets on modern tcpdump
-w <file> Write capture file Best for later analysis
-r <file> Read capture file Filter a saved pcap
-A Print payload as ASCII Only useful for plaintext
-X Print hex and ASCII Quick payload inspection
-q Quieter output Less decode detail
-tttt Human-readable timestamp Easier correlation with logs
-G <sec> Rotate by time Long-running captures
-C <MB> Rotate by file size File size is millions of bytes
-W <count> Limit rotated files Prevents disk fill

Modern note: Most useful captures are written to a file with -w. Screen output is good for quick proof, but pcap files preserve evidence.

Capture Filter Basics

tcpdump uses capture filters, also called BPF or pcap filters. These decide what packets are captured. They are not the same as Wireshark display filters.

Primitive Example Meaning
host host 10.0.0.10 Source or destination host
src host src host 10.0.0.10 Source host only
dst host dst host 10.0.0.10 Destination host only
net net 10.0.20.0/24 Source or destination network
port port 443 TCP or UDP source or destination port
tcp port tcp port 443 TCP only
udp port udp port 53 UDP only
portrange tcp portrange 8000-8099 Port range
ether host ether host 00:11:22:33:44:55 Ethernet MAC address
vlan vlan 20 802.1Q VLAN tag
ip ip IPv4 packets
ip6 ip6 IPv6 packets
arp arp ARP packets
icmp icmp IPv4 ICMP
icmp6 icmp6 IPv6 ICMP

Logical operators:

Operator Meaning Example
and or && Both expressions host 10.0.0.10 and port 443
or or || Either expression tcp port 80 or tcp port 443
not or ! Exclude expression not port 22
() Group expressions (port 80 or port 443) and host 10.0.0.10

Watch out: Shells interpret some characters. Quote filters with single quotes so the shell does not eat parentheses, exclamation marks, or comparison operators.

Useful Captures

Task Command
List interfaces tcpdump -D
Quick host view tcpdump -nn -i en0 host 10.0.0.10
Save full packet capture tcpdump -nn -i en0 -s 0 -w issue.pcap host 10.0.0.10
DNS only tcpdump -nn -i en0 'port 53'
DHCPv4 tcpdump -nn -i en0 'udp port 67 or udp port 68'
DHCPv6 tcpdump -nn -i en0 'udp port 546 or udp port 547'
ARP tcpdump -nn -e -i en0 arp
IPv6 neighbor discovery tcpdump -nn -i en0 'icmp6'
TCP handshake to HTTPS tcpdump -nn -i en0 'tcp port 443 and host 198.51.100.10'
VLAN tagged traffic tcpdump -nn -e -i en0 'vlan 20'
Read and filter pcap tcpdump -nn -r issue.pcap 'host 10.0.0.10 and port 443'

TCP Flag Filters

Goal Filter
SYN packets tcp[tcpflags] & tcp-syn != 0
SYN without ACK tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn
RST packets tcp[tcpflags] & tcp-rst != 0
FIN packets tcp[tcpflags] & tcp-fin != 0
TCP packets with payload tcp and greater 40

Watch out: Simple payload length filters are rough. TCP options, tunnels, VLAN tags, and offloads can make quick assumptions wrong.

Long-Running Captures

Rotate by time and keep a fixed number of files:

tcpdump -nn -i en0 -s 0 -G 300 -W 12 -w 'issue-%Y%m%d-%H%M%S.pcap' 'host 10.0.0.10'

Rotate by size:

tcpdump -nn -i en0 -s 0 -C 100 -W 10 -w issue.pcap 'net 10.0.20.0/24'

Notes:

  • Confirm free disk space before starting.
  • Capture as close to the problem as possible.
  • Capture both directions when troubleshooting stateful firewalls, NAT, or asymmetric routing.
  • Record interface, time window, source, destination, and problem statement with the pcap.

Cisco IOS/IOS-XE Examples

Embedded Packet Capture varies by platform and release, but the common workflow is: define buffer, define capture point, attach, start, stop, export.

monitor capture buffer CAP-BUF size 20 circular
monitor capture point ip cef CAP-POINT GigabitEthernet1/0/1 both
monitor capture point associate CAP-POINT CAP-BUF
monitor capture point start CAP-POINT
monitor capture point stop CAP-POINT
monitor capture buffer CAP-BUF export flash:issue.pcap

Notes:

  • Check platform support and syntax before using this during an incident.
  • Keep buffers small and scoped. Router and switch captures can affect CPU.
  • Prefer SPAN, TAP, or packet broker captures for high-volume links.

Troubleshooting

Symptom Check Likely Cause
No packets captured Interface, direction, filter, permissions Wrong interface or filter too narrow
DNS appears during capture Missing -n or -nn Name resolution noise
Capture file too small Snap length Missing -s 0 or small snaplen
Drops reported Kernel drop count, buffer, disk, filter Capture host cannot keep up
TCP handshake visible, app fails TLS, HTTP, app logs Network path works, app layer failing
SYN leaves, no SYN-ACK returns Return path, firewall, routing One-way path or block
RST returns immediately Service closed or policy reject Host or firewall actively refusing

Watch Out

  • Do not confuse capture filters with Wireshark display filters.
  • Do not run broad captures on busy links unless you have disk and CPU headroom.
  • Do not assume seeing one side of a flow proves the other side received it.
  • Do not forget NIC offloads can make local captures look strange.
  • Do not capture sensitive payloads without approval and handling discipline.
  • Do not share pcaps publicly without sanitizing addresses, names, tokens, and payloads.

References