Introduction
tcpdump is a powerful and versatile command line tool that allows you to capture and analyse real-time network traffic on Linux systems. Its ability to apply detailed filters makes it an indispensable ally for system managers, network engineers and security professionals who need to diagnose problems, monitor activity or investigate incidents.
What is tcpdump?
Originally developed in 1988, tcpdump is part of the libpcap package capture tool suite. By operating at the data link level, you can intercept packages before they reach the network layer of the operating system, providing a raw and unprocessed view of what happens in the network interface.
Installation
In most modern distributions, tcpdump comes pre-installed. If not available, it can be easily installed by the package manager:
- Debian / Ubuntu:
sudo apt-get update && sudo apt-get install tcpdump - Hat / CentOS Network:
sudo yum install tcpdump - Fedora:
sudo dnf install tcpdump - Arch Linux:
sudo pacman -S tcpdump
Basic syntax
The general command format is:
tcpdump [options] [filter expression]
Some more used options are:
-i interfaz: specifies the network interface (e.g. eth0, wlan0).-c número: limits the capture to a certain number of packages.-w archivo: writes the captured packages in a file in pcap format.-r archivo: Read a previously saved pcap file.-n: avoids host name resolution and displays numerical IP addresses.-vv,-vvv: increases the level of detail (verbosity).
Common examples
The following are some practical examples illustrating the typical use of tcpdump:
- Capture all traffic in an interface:
sudo tcpdump -i eth0 - Limit to 100 packages and show in readable format:
sudo tcpdump -i eth0 -c 100 -n - Filter only HTTP traffic (port 80):
sudo tcpdump -i eth0 port 80 - Show SSH (port 22) packages with deactivated name resolution:
sudo tcpdump -i eth0 port 22 -n - Save a capture for later analysis:
sudo tcpdump -i eth0 -w captura.pcap
Advanced filters
The filter expression follows the syntax of Berkeley Package Filter (BPF). Some examples of more complex filters:
tcpdump -i eth0 src host 192.168.1.10: shows packages whose origin is IP 192.168.1.10.tcpdump -i eth0 dst port 443 and tcp[tcpflags] & tcp-syn != 0: Captures SYN packages to port 443 (TLS connection start).tcpdump -i eth0 net 10.0.0.0/8: filters all traffic within the private network 10.0.0.0 / 8.tcpdump -i eth0 icmp: shows only ICMP packages (ping, traceroute).
Save and read catches
The pcap files generated by tcpdump can then be analyzed with the same tool or with utilities such as Wireshark, tshark or tcpdump itself:
- Read a file:
tcpdump -r captura.pcap - Apply filters when reading:
tcpdump -r captura.pcap port 80 - Count packages:
tcpdump -r captura.pcap -c 10
To combine real-time capture and filtering, you can use:
sudo tcpdump -i eth0 -w - | tcpdump -r - port 22
Good practices
- Run tcpdump with root privileges (or by sudo) because you need access to the network interface in promiscuous mode.
- Limit capture with
-cor with a strict filter to avoid filling the disk or overloading the system. - Use
-nto speed up the output when no name resolution is needed. - Save the catches in a directory with enough space and rotate the files regularly.
- Combine tcpdump with analysis tools like Wireshark for deeper visual inspection.
Conclusion
tcpdump remains one of the most essential tools for any professional working with Linux networks. Its flexibility, filtering power and ability to generate pcap files make it ideal for both rapid diagnosis and detailed forensic analysis. Dominating your syntax and your options allows you to get a clear and real-time view of what happens on the network, facilitating problem detection, performance optimization and safety improvement.
