The tcpdump Command

What tcpdump Does

tcpdump uses the libpcap library to place a network interface into promiscuous mode and capture all packets, not just those addressed to the local machine. It then applies a filter expression (if provided) and either prints matching packets to the terminal or writes them to a file. This makes it indispensable for verifying that traffic is actually reaching a host, debugging protocol handshakes, confirming firewall rules, and diagnosing unexpected network behavior.

Because it operates below the application layer, tcpdump sees everything: TCP handshakes, DNS queries, ICMP messages, ARP requests, malformed packets, and retransmissions. Higher-level tools like curl or ping can only show you what they successfully sent or received. tcpdump shows you what actually happened on the wire.

tcpdump requires root privileges to access raw packet data. On Linux, run it with sudo. On macOS it works the same way. On Windows, use Wireshark with WinPcap or Npcap instead.

Basic Capture

The minimum useful invocation specifies an interface with -i and adds -n to suppress DNS lookups (which speeds things up dramatically):

sudo tcpdump -i eth0 -n

To capture on all interfaces simultaneously:

sudo tcpdump -i any -n

Press Ctrl+C to stop. tcpdump prints a summary line at exit showing how many packets were captured, received by the filter, and dropped by the kernel.

BPF Filter Expressions

Without a filter, tcpdump captures everything — which is overwhelming on a busy interface. BPF (Berkeley Packet Filter) expressions narrow the capture to exactly what you need. Filters are appended after all flags.

Combine filters with and, or, and not. Quote complex expressions in single quotes to prevent the shell from interpreting special characters:

sudo tcpdump -i eth0 -n 'host 8.8.8.8 and port 53'
sudo tcpdump -i eth0 -n 'port 80 or port 443'
sudo tcpdump -i eth0 -n 'not port 22 and not arp'

Reading tcpdump Output

Each line in tcpdump output represents one packet. A typical TCP line looks like:

14:32:01.482310 IP 192.168.1.5.52341 > 93.184.216.34.80: Flags [S], seq 1234567, win 65535, length 0

Reading left to right: timestamp, protocol (IP/IPv6/ARP), source address and port, destination address and port, TCP flags, sequence number, window size, and payload length. The TCP flags in square brackets tell you exactly what kind of packet this is. [S] is a SYN (connection initiation). [S.] is SYN-ACK. [.] is a pure ACK with no data. [P.] is PSH-ACK, meaning data is being pushed. [F.] is FIN-ACK (graceful close). [R] is RST (abrupt reset). A healthy three-way handshake produces exactly three lines: SYN, SYN-ACK, ACK.

Saving and Loading Captures

Trying to read a high-speed live capture in the terminal is impractical. The standard workflow is to capture to a file and analyze later — including in Wireshark for graphical protocol dissection:

sudo tcpdump -i eth0 -n -w /tmp/capture.pcap

To read the file back with tcpdump on the command line:

tcpdump -r /tmp/capture.pcap -n

The -c [count] flag stops after capturing a fixed number of packets — useful for capturing a single transaction without filling a disk. The -s [snaplen] flag controls how many bytes of each packet to capture; the default of 262144 captures the full packet, but -s 96 captures only headers, which is sufficient for most diagnosis and produces much smaller files.

Useful Flag Reference

Beyond interface and filter, the most commonly needed flags are: -nn (suppress both hostname and port name resolution — faster than -n alone), -v and -vv (verbose output showing IP TTL, TOS, checksum, and more), -A (print packet payload as ASCII — useful for inspecting plaintext HTTP), and -X (print payload as both hex and ASCII). For remote server captures, always use -w to save to a file rather than scrolling terminal output.

Frequently Asked Questions

Does tcpdump require root privileges?

Yes. Accessing raw network packets requires root or administrator privileges. On Linux, prefix with sudo. On macOS, tcpdump works with sudo as well. On Windows there is no native tcpdump — use Wireshark with Npcap, which handles privilege escalation through its own driver.

How do I capture only HTTP traffic with tcpdump?

Use sudo tcpdump -i eth0 -n port 80 to capture all traffic on port 80. For HTTPS use port 443. The content of HTTPS traffic is encrypted, so you will see the handshake and packet structure but not the payload. To capture both ports: sudo tcpdump -i eth0 -n 'port 80 or port 443'.

How do I save a tcpdump capture to a file?

Use sudo tcpdump -i eth0 -w capture.pcap. The file is saved in pcap format and can be opened in Wireshark for graphical analysis. To read it back on the command line: tcpdump -r capture.pcap -nn. Saving to a file is far more practical than reading live output for any capture lasting more than a few seconds.

What do the TCP flags in tcpdump output mean?

Flags appear in square brackets after the port numbers. [S] = SYN (new connection). [S.] = SYN-ACK (server accepting). [.] = ACK only. [P.] = PSH-ACK with data. [F.] = FIN-ACK (graceful close). [R] = RST (abrupt reset, often from a firewall or refused connection). A complete handshake is SYN → SYN-ACK → ACK.

What is the difference between tcpdump and Wireshark?

tcpdump is command-line only and ideal for remote servers and headless systems. Wireshark is a GUI application with richer protocol dissection, conversation following, and graphical filtering. The standard workflow is: capture with tcpdump -w on a remote server, copy the pcap to your local machine, and open it in Wireshark for detailed analysis.

How do I capture traffic on all interfaces with tcpdump?

Use sudo tcpdump -i any. This captures on all interfaces simultaneously, useful when you are unsure which interface will carry the traffic. Note that on Linux the "any" pseudo-interface uses a slightly different cooked capture format that may affect how some protocols appear in Wireshark.