Jump to content
  • tcpdump

    Cowboy Denny

    Basic Commands

    Identify Version

    tcpdump --version

    The general syntax for the tcpdump command is as follows:

    tcpdump [options] [expression]
    • The command options allow you to control the behavior of the command.
    • The filter expression defines which packets will be captured.


    Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from:

    sudo tcpdump -D

    For each interface, the command prints the interface name, a short description, and an associated index (number)

    To specify the interface on which you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the any interface:

    sudo tcpdump -i any


    By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation:

    sudo tcpdump -n


    Instead of displaying the output on the screen, you can redirect it to a file.  Two options and its important you use the correct one depending on how you plan on reading the output.

    OPTION 1: text file

    This is great if you just want what would be displayed on the screen to be captured in a text file.  NOTE: this will more then likely not be readable by any of the software packages designed to analyze captures like the very popular Wireshark

    sudo tcpdump -n -i any > file.out

    You can also watch the data while saving to a file using the tee command:

    sudo tcpdump -n -l | tee file.out

    The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.

    OPTION 2: binary file

    This is the way you want to go if you plan on sending to someone or even yourself to analyze the capture in a tool such as Wireshark.

    sudo tcpdump -w <filename>


    sudo tcpdump -n -i any -w file.pcap

    or a more intense version of the command

    tcpdump -s0 -nnnvi 0.0:nnnp -vw /var/tmp/appname_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host


    Capture Filters


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now


  • Create New...