SoFunction
Updated on 2025-04-11

Linux uses tcpdump for network analysis detailed explanation

Introduction

tcpdumpis a command line packet analyzer that captures and checks network traffic in real time. It is commonly used for network troubleshooting, performance analysis, and security monitoring.

Install

Debian/Ubuntu

sudo apt update && sudo apt install tcpdump -y

CentOS/RHEL

sudo yum install tcpdump -y

macOS

brew install tcpdump

Basic syntax

tcpdump [options] [filter]

Example usage

Capture packets on the default interface

Capture and display network packets in real time.

sudo tcpdump

List available network interfaces

sudo tcpdump -D

Output example

1. eth0
2. wlan0
3. lo

You can use the interface name in this list to capture packets on a specific interface.

Capture packets on specific interfaces

sudo tcpdump -i eth0

Limit the number of captured packets

Capture only 10 packets and then stop

sudo tcpdump -c 10 -i eth0

Save captured packets to file

sudo tcpdump -i eth0 -w

Read packets from files

sudo tcpdump -r

Capture only specific protocols

1. TCP packets only

sudo tcpdump -i eth0 tcp

2. UDP packets only

sudo tcpdump -i eth0 udp

3. ICMP (ping) packets only

sudo tcpdump -i eth0 icmp

Capture packets for specific hosts

Capture from/to192.168.1.1Traffic

sudo tcpdump -i eth0 host 192.168.1.1

Capture packets on specific ports

1. Capture HTTP traffic (port 80)

sudo tcpdump -i eth0 port 80

2. Capture SSH traffic (port 22)

sudo tcpdump -i eth0 port 22

Capture packets from specific sources or targets

1. Capture only from the source192.168.1.100Data packets

sudo tcpdump -i eth0 src 192.168.1.100

2. Only the destination address is captured192.168.1.100Data packets

sudo tcpdump -i eth0 dst 192.168.1.100

Combining multiple filters

Capture TCP traffic to and from 192.168.1.100 on port 443 (HTTPS)

sudo tcpdump -i eth0 tcp and host 192.168.1.100 and port 443

Display packets in hexadecimal and ASCII formats

sudo tcpdump -X -i eth0

Capture packets without parsing the hostname

-nOptions prevent DNS lookups, thereby improving performance

sudo tcpdump -n -i eth0

Capture only packet headers (no payload)

-s 0Flags capture complete packets instead of truncation

sudo tcpdump -s 0 -i eth0

Capture only HTTP traffic and display content

-AOption to print packet content in ASCII format

sudo tcpdump -A -i eth0 port 80

The above is the detailed explanation of Linux's network analysis using tcpdump. For more information about Linux's tcpdump network analysis, please pay attention to my other related articles!