Linux for Network Engineers: How to Use tcpdump

By December 12, 2018Linux

What is tcpdump?

tcpdump is a tool that is used for TCP/IP packet analysis. It was first released in 1988 and has since become a very powerful and commonly used traffic analyzer on Linux, as well as many other operating systems.

tcpdump allows you to sniff all traffic that goes in and out of all interfaces. More importantly, it has the ability to filter the traffic by interface, host, destination or source host, type of traffic, and many other criteria. During troubleshooting, this helps isolate only the packets that are relevant to you to avoid being overwhelmed by a deluge of bits and bytes.

In this post, I will present a list of very common tcpdump options to help you get started. This will give you a good taste of what kind of help you can get out of it, but it’s up to you to dig further down, to the nitty gritty details.

In most cases, in order to use tcpdump you have to be a root user or run the commands with the “sudo” keyword. This is because the packet capturing mechanism requires elevated privileges. So, if you run a tcpdump command and you don’t get any output, you may need to run it as a super user. However, tcpdump will actually notify you about the need for elevated privileges.

Traffic on all interfaces

This command will give you all traffic that goes in and out of all interfaces:

The screen will keep scrolling with packet information until you hit Ctrl+C. Alternatively, you can use the option ‘-c’ to print a specific number of packets (e.g. tcpdump -c 10).

Let’s break down the first packet shown above in order to understand what each field represents:

  • 20:59:04.418446: timestamp of the packet
  • – the source IP address and port (ssh means port 22)
  • – the destination IP address and port
  • Flags [P.] – any TCP flags; a period ‘.‘ indicates an ACK
  • seq 3758317981:3758318085 – the TCP packet’s starting and ending sequence numbers
  • ack 507133464 – the TCP packet’s acknowledgement number
  • win 627– the source host’s TCP window
  • length 104 – the TCP packet length (in Bytes) not including the headers.

Let’s see how we can use some filters to narrow down the traffic we want to inspect.

Specific interface

It shows all traffic that goes in and out of interface “eth0.”

It shows all traffic related to host, all traffic that comes from and all traffic that goes to

Specific port

It shows all traffic related to port 22, all traffic that has as destination the port 22, and as source the port 22, and all traffic related to ports 22-30.

Human readable format

It shows all packets in ascii format. So, you can read the actual payload of the packets when possible.

Encrypted/Unencrypted traffic

As an example, let’s see how unencrypted HTTP and encrypted HTTPS traffic really looks like at the packet level with the help of tcpdump. Here are the steps on how to do this:

  1. Login to a Linux host with two different sessions
  2. On one session run the command “tcpdump port 80 -A”
  3. On the other session run the command “curl”

You will see that part of the output is as follows:

As you can see, the raw output of the unencrypted page can be clearly displayed. Consequently, the content of any unencrypted communication is susceptible to eavesdropping.

Let’s see how the encrypted communication looks like. Let’s do the following:

  1. Login to a Linux host with two different sessions
  2. On one session run the command “tcpdump port 443 -A”
  3. On the other session run the command “curl”

The output is filled with packets that look like this:

This is the ineligible encrypted content of the HTTPS communication.

Inspecting packets is usually a last resort when it comes to troubleshooting because it’s a manual and cumbersome process. Sometimes though, when everything else fails, you need to get to that level of detail to figure out the problem  on your network or host. tcpdump gives you the naked truth, but you have to be patient and diligent to pursue it.