A Look into Tcpdump

Tcpdump is a packet capture for the Linux command line. This is by no means a full guide but a quick overview of some of the main commands.

The syntax below will capture all traffic with IP address of and and IP in the network with a port of udp/53. This will write it to a capture file for viewing in wireshark, with double verbosity.

tcpdump -vvi eth2 -s 1500 -w test.cap host and net and udp port 53

This will read the capture test.cap

tcpdump -r test.cap

To view the payload of the packet use the following commands :

  • -X – Displays the in but ASCII and HEX.
  • -A – Displays just the payload in ASCII

Tcpdump for windows can be downloaded here

Handy tcpdump flags for saving to files

· -w /var/log/blahblah – save pcap to file specified

· -C 50 – limits filesize to 50MB

· -W 2 – will create two pcap files (name-of-file0 and name-of-file1) and rotate once full. i.e. data is saved to name-of-file0 then when full name-of-file1. Once name-of-file1 is full again it will go back and overwrite 0.

· -s 0 – the s flag specifies size of packet to capture. 0 forces full packet.

· nohup <command to run> & – nohup allows a process to run even when the user exits and the “&” puts the process in the background. This is useful for long running pcaps, however make sure you note the process number so you can terminate it later with “kill <processID>

Some examples

tcpdump -s 0 -n -C 50 -w /var/log/ticket-test.pcap -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)”

· Run tcpdump (filtering on hosts/ports) and save to file specified (-w) up to 50MB. Capture will NOT be rotated. Full packet will be captured (-s0)

nohup tcpdump –w /var/log/ticket-test.pcap -C 50 -W 2 -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)” &

· Run tcpdump (filtering again) saving to “/var/log-ticket-test.pcap0” and “/var/log-ticket-test.pcap1”. Two files due to –W2 flag. Captures will overwrite once full

· The tcpdump will run even when you quit the bash terminal (nohup) and will be put into the background after hitting enter (&)

· To kill this make a note of the process number provided and then do “kill <id>”. Can also get the process number from “ps aef | grep tcpdump” ensure you get the right process ID (and not another OR the parent process). Ask a senior colleague if unsure.

Rick Donato

Want to become a UNIX expert?

Here is our hand-picked selection of the best courses you can find online:
UNIX Administration Fundamentals
Vim Masterclass
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial