When network issues arise — connections timing out, services unreachable, or unexpected traffic patterns — you need to see what is actually happening on the wire. tcpdump is the standard command-line packet capture tool on Linux, installed on virtually every server and capable of intercepting, filtering, and recording network traffic at the packet level. It is the fastest way to diagnose network problems directly on a production server.

This guide covers practical tcpdump usage from basic captures to advanced filtering, protocol analysis, and integration with Wireshark for visual inspection.

Prerequisites

Before you begin, make sure you have:

  • A Linux system (Ubuntu, Debian, RHEL/CentOS, Fedora, or similar)
  • Terminal access with sudo privileges (tcpdump requires root for packet capture)
  • Basic understanding of TCP/IP networking (IP addresses, ports, TCP vs UDP)

Installing tcpdump

tcpdump is pre-installed on most Linux distributions. Verify or install it:

# Debian/Ubuntu
sudo apt update && sudo apt install tcpdump

# RHEL/Fedora/CentOS
sudo dnf install tcpdump

# Verify installation
tcpdump --version

Identifying Network Interfaces

Before capturing, identify which interface carries the traffic you want to inspect:

# List all interfaces tcpdump can capture on
sudo tcpdump -D

# Or use ip to show interfaces
ip link show

Typical output:

1.eth0 [Up, Running, Connected]
2.lo [Up, Running, Loopback]
3.docker0 [Up, Running, Connected]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]

Use any to capture on all interfaces simultaneously, or specify a single interface for cleaner output.

Basic Capture

Capture All Traffic on an Interface

sudo tcpdump -i eth0

This displays every packet in real time. Press Ctrl+C to stop. The output shows one line per packet:

14:23:45.123456 IP 10.0.1.5.22 > 10.0.1.1.54321: Flags [P.], seq 1:53, ack 1, win 502, length 52

Fields: timestamp, protocol, source IP.port, destination IP.port, TCP flags, sequence/ack numbers, window size, and payload length.

Limit the Number of Packets

# Stop after capturing 50 packets
sudo tcpdump -i eth0 -c 50

Verbose Output

# More detail (TTL, IP options, checksum)
sudo tcpdump -i eth0 -v

# Even more detail
sudo tcpdump -i eth0 -vv

# Maximum verbosity
sudo tcpdump -i eth0 -vvv

Show IP Addresses Instead of Hostnames

# Don't resolve hostnames (faster output)
sudo tcpdump -i eth0 -n

# Don't resolve hostnames or port names
sudo tcpdump -i eth0 -nn

Tip: Always use -nn in production. DNS resolution for every packet slows down the capture and can generate additional traffic.

Capture Filters

Filters are the most important feature of tcpdump. They use the BPF (Berkeley Packet Filter) syntax and are applied during capture, reducing noise before it hits your screen.

Filter by Host

# Traffic to or from a specific IP
sudo tcpdump -i eth0 host 10.0.1.5

# Only traffic FROM a specific IP
sudo tcpdump -i eth0 src host 10.0.1.5

# Only traffic TO a specific IP
sudo tcpdump -i eth0 dst host 10.0.1.5

Filter by Port

# HTTP traffic
sudo tcpdump -i eth0 port 80

# HTTPS traffic
sudo tcpdump -i eth0 port 443

# SSH traffic
sudo tcpdump -i eth0 port 22

# DNS traffic
sudo tcpdump -i eth0 port 53

# Source port only
sudo tcpdump -i eth0 src port 443

# Destination port only
sudo tcpdump -i eth0 dst port 8080

Filter by Protocol

# Only TCP packets
sudo tcpdump -i eth0 tcp

# Only UDP packets
sudo tcpdump -i eth0 udp

# Only ICMP (ping) packets
sudo tcpdump -i eth0 icmp

# Only ARP packets
sudo tcpdump -i eth0 arp

Filter by Network (Subnet)

# All traffic to or from a subnet
sudo tcpdump -i eth0 net 10.0.1.0/24

# Traffic between two subnets
sudo tcpdump -i eth0 src net 10.0.1.0/24 and dst net 10.0.2.0/24

Combining Filters

Use and, or, and not (or &&, ||, !) to combine conditions:

# HTTPS traffic to a specific host
sudo tcpdump -i eth0 host 10.0.1.5 and port 443

# HTTP or HTTPS traffic
sudo tcpdump -i eth0 port 80 or port 443

# All traffic except SSH
sudo tcpdump -i eth0 not port 22

# Complex filter: HTTP traffic from one host, excluding a specific IP
sudo tcpdump -i eth0 'src host 10.0.1.5 and port 80 and not dst host 10.0.1.1'

Port Ranges

# Ports 8000 through 8999
sudo tcpdump -i eth0 portrange 8000-8999

Filter by TCP Flags

# Only SYN packets (new connections)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'

# Only SYN-ACK packets (connection responses)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

# Only RST packets (connection resets)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0'

# Only FIN packets (connection closures)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-fin) != 0'

Saving and Reading Capture Files

Write to a pcap File

# Save all traffic to a file
sudo tcpdump -i eth0 -w /tmp/capture.pcap

# Save with a filter
sudo tcpdump -i eth0 -w /tmp/https.pcap port 443

# Rotate files every 100MB, keeping 5 files
sudo tcpdump -i eth0 -w /tmp/capture-%Y%m%d-%H%M%S.pcap -C 100 -W 5

Read a pcap File

# Read all packets from a file
tcpdump -r /tmp/capture.pcap

# Read with filters (applied on display)
tcpdump -r /tmp/capture.pcap port 443

# Read with full detail
tcpdump -r /tmp/capture.pcap -nn -vvv

Transfer to Wireshark

The pcap format is universal. Copy the file to your workstation and open it in Wireshark:

# Copy from server to local machine
scp user@server:/tmp/capture.pcap ~/Desktop/

# Or capture remotely and pipe directly to Wireshark
ssh user@server 'sudo tcpdump -i eth0 -w - port 443' | wireshark -k -i -

Displaying Packet Content

Show Packet Payload as ASCII

# Print packet content in ASCII
sudo tcpdump -i eth0 -A port 80

This is useful for inspecting HTTP requests and responses in clear text.

Show Payload as Hex and ASCII

# Hex + ASCII dump
sudo tcpdump -i eth0 -X port 80

# Hex + ASCII with link-layer header
sudo tcpdump -i eth0 -XX port 80

Control Capture Size

# Capture only first 96 bytes (headers only)
sudo tcpdump -i eth0 -s 96

# Capture full packets (no truncation)
sudo tcpdump -i eth0 -s 0

Practical Troubleshooting Examples

Diagnose DNS Resolution Issues

# Capture all DNS traffic
sudo tcpdump -i eth0 -nn port 53

# Watch for DNS queries and responses with detail
sudo tcpdump -i eth0 -nn -vv port 53

Look for: queries without responses (DNS server unreachable), NXDOMAIN responses (name doesn’t exist), or unusually slow response times.

Debug HTTP Connection Problems

# See TCP handshake and HTTP requests
sudo tcpdump -i eth0 -nn -A 'host example.com and port 80'

# Check if connections are being reset
sudo tcpdump -i eth0 -nn 'host example.com and tcp[tcpflags] & (tcp-rst) != 0'

Identify Excessive Connections

# Count connections to port 443 per source IP
sudo tcpdump -i eth0 -nn dst port 443 -c 10000 2>/dev/null | \
  awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -20

Monitor Database Traffic

# MySQL traffic (port 3306)
sudo tcpdump -i eth0 -nn port 3306

# PostgreSQL traffic (port 5432)
sudo tcpdump -i eth0 -nn port 5432 -c 100

Check for SYN Flood Attacks

# Count SYN packets per second
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] == tcp-syn' 2>/dev/null | \
  awk '{print substr($1,1,8)}' | uniq -c

Capture ICMP (Ping) Issues

# All ICMP traffic
sudo tcpdump -i eth0 -nn icmp

# Specific: ping to a host
sudo tcpdump -i eth0 -nn 'icmp and host 10.0.1.1'

Look for: “unreachable” responses, TTL exceeded, or missing echo replies.

Debug TLS/SSL Handshake

# Capture TLS Client Hello (first message of TLS handshake)
sudo tcpdump -i eth0 -nn 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)'

Performance Considerations

Reduce Output Overhead

# Disable DNS resolution (-nn)
# Limit capture length (-s 96) if you only need headers
# Write to file (-w) instead of displaying on screen
sudo tcpdump -i eth0 -nn -s 96 -w /tmp/capture.pcap port 443

Ring Buffer for Long Captures

# Rotate files: 10 files of 50MB each (500MB total ring buffer)
sudo tcpdump -i eth0 -w /tmp/cap.pcap -C 50 -W 10

When file 10 fills up, it overwrites file 1, creating a circular buffer that keeps the most recent 500MB of traffic.

Timestamping Options

# Microsecond timestamps (default)
sudo tcpdump -i eth0 -tt

# Human-readable timestamps
sudo tcpdump -i eth0 -tttt

# Delta from previous packet
sudo tcpdump -i eth0 -ttt

tcpdump Quick Reference

OptionDescription
-i eth0Capture on specific interface
-i anyCapture on all interfaces
-c 100Stop after 100 packets
-nDon’t resolve hostnames
-nnDon’t resolve hostnames or ports
-v / -vv / -vvvIncrease verbosity
-AShow payload as ASCII
-XShow payload as hex + ASCII
-w file.pcapWrite packets to file
-r file.pcapRead packets from file
-s 0Capture full packets
-s 96Capture headers only
-C 100Rotate files every 100MB
-W 5Keep maximum 5 rotated files
-ttAbsolute Unix timestamps
-tttDelta timestamps
-ttttHuman-readable timestamps

Common Filter Expressions

FilterCaptures
host 10.0.1.5Traffic to/from IP
src host 10.0.1.5Traffic from IP
dst host 10.0.1.5Traffic to IP
port 443Traffic on port
portrange 8000-9000Port range
tcp / udp / icmpProtocol
net 10.0.1.0/24Subnet
not port 22Exclude SSH
host A and port 80Combined
port 80 or port 443Either port

Summary

tcpdump is the essential packet capture tool for Linux network troubleshooting:

  • Always use -nn to disable DNS resolution for faster and cleaner output
  • Apply capture filters to reduce noise: host, port, tcp, not port 22
  • Save long captures to pcap files with -w and analyze later with Wireshark
  • Use -c to limit capture size and prevent filling the disk
  • Combine filters with and, or, not for precise traffic isolation
  • Use TCP flag filters to diagnose connection issues (SYN floods, RST problems)
  • Ring buffers (-C + -W) enable long-running captures on production servers
  • Transfer pcap files to Wireshark for detailed visual protocol analysis

For related topics, see our guides on Configure UFW Firewall on Ubuntu Server and SSH Hardening for Linux Servers.