Server Management
tcpdump - Network Packet Capture and Analysis
Capture and analyze network traffic with tcpdump filters, BPF syntax, and practical debugging recipes.
What is tcpdump
tcpdump is a command-line packet sniffer that captures network packets in real-time. It's essential for debugging network issues, monitoring traffic, and analyzing protocols.
Basic Capture
Capture all packets on the default interface:
tcpdumpSpecific interface (when multiple NICs exist):
# Capture on eth0
tcpdump -i eth0
# All interfaces
tcpdump -i any
# Loopback (localhost)
tcpdump -i loStop capture with Ctrl+C. Example output:
21:34:45.123456 IP 192.168.1.100.54321 > 8.8.8.8.53: 12345+ A? example.com. (32)
21:34:45.234567 IP 8.8.8.8.53 > 192.168.1.100.54321: 12345 1/0/0 A 93.184.216.34 (48)Common Options
Basic Options
# No DNS resolution (faster, shows IPs)
tcpdump -n
# Double verbosity (show options, padding)
tcpdump -vv
# Print in ASCII and hex
tcpdump -A
# Capture count (stop after N packets)
tcpdump -c 100
# Quiet output (less detail)
tcpdump -q
# Show packet length on all layers
tcpdump -vFile Operations
# Write to pcap file (analyze later with Wireshark)
tcpdump -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Write and read with filters
tcpdump -w dns_traffic.pcap -i any udp port 53
tcpdump -r dns_traffic.pcap
# Rotate files (1 file per hour)
tcpdump -w capture_%FT%H.pcap -i any -G 3600Capture Control
# Full packet capture (default is 262144 bytes)
tcpdump -s 0
# Limit to first 100 bytes per packet (faster)
tcpdump -s 100
# Run in background
tcpdump -i eth0 -w background.pcap &
# Timestamp precision
tcpdump -tttt # Human-readable
tcpdump -ttt # Delta timestampsFilter Syntax (BPF - Berkeley Packet Filter)
By Host
# All traffic to/from a host
tcpdump host 1.2.3.4
# Traffic from a host
tcpdump src host 1.2.3.4
# Traffic to a host
tcpdump dst host 1.2.3.4
# Exclude a host
tcpdump not host 1.2.3.4By Port
# Traffic on any port 80
tcpdump port 80
# Specific port direction
tcpdump src port 8080
tcpdump dst port 443
# Multiple ports
tcpdump port 80 or port 443
tcpdump port 80 or 443By Protocol
# TCP only
tcpdump tcp
# UDP only
tcpdump udp
# ICMP (ping)
tcpdump icmp
# ARP
tcpdump arp
# IPv4 only
tcpdump ip
# IPv6 only
tcpdump ip6Complex Filters (Boolean)
# AND (both conditions)
tcpdump host 1.2.3.4 and port 443
# OR (either condition)
tcpdump port 80 or port 8080
# NOT (negation)
tcpdump not port 22
# Grouping with parentheses
tcpdump '(port 80 or port 443) and host 1.2.3.4'
# Source and destination
tcpdump src host 192.168.1.1 and dst host 8.8.8.8Network/Subnet Filters
# Specific network
tcpdump net 192.168.0.0/16
# Network direction
tcpdump src net 10.0.0.0/8
tcpdump dst net 172.16.0.0/12Common Real-World Filters
# Exclude SSH to reduce noise
tcpdump not port 22
# Capture HTTP requests only (no SSH, DNS)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# TCP handshake (SYN, FIN flags)
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
# TCP resets
tcpdump 'tcp[tcpflags] & tcp-rst != 0'
# SYN flood detection
tcpdump 'tcp[tcpflags] & tcp-syn != 0'Practical Recipes
Monitor DNS Queries
DNS uses UDP port 53:
# All DNS traffic with no DNS resolution
tcpdump -n -A udp port 53
# DNS queries only
tcpdump -n 'udp port 53 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# Specific domain
tcpdump -n 'udp port 53 and dst host 8.8.8.8'Example output:
21:34:45.123456 IP 192.168.1.100.54321 > 8.8.8.8.53: 12345+ A? example.com. (32)
21:34:45.234567 IP 8.8.8.8.53 > 192.168.1.100.54321: 12345 1/0/0 A 93.184.216.34 (48)Capture HTTP POST Data
Monitor web traffic and see request bodies:
# Capture POST requests with ASCII output
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -A 20 POST
# Simpler version (all port 80 traffic in ASCII)
tcpdump -A -s 0 port 80 | grep -A 20 'POST\|GET'
# Save to file then analyze
tcpdump -w http.pcap port 80
tcpdump -A -r http.pcap | grep POSTExample output:
POST /api/login HTTP/1.1
Host: example.com
Content-Length: 35
username=admin&password=secret1234Diagnose TCP Handshake Issues
Analyze the three-way handshake (SYN, SYN-ACK, ACK):
# Capture SYN and FIN flags
tcpdump -n 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
# All TCP flags
tcpdump -vv -n 'tcp[tcpflags] != 0'
# Specific host handshakes
tcpdump -n 'host 1.2.3.4 and tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'Output shows S (SYN), S. (SYN-ACK), . (ACK):
21:34:45.123456 IP 192.168.1.100.54321 > 93.184.216.34.443: Flags [S], seq 1000, win 29200
21:34:45.124567 IP 93.184.216.34.443 > 192.168.1.100.54321: Flags [S.], seq 2000, ack 1001, win 65535
21:34:45.125678 IP 192.168.1.100.54321 > 93.184.216.34.443: Flags [.], ack 2001, win 29200Monitor MySQL Traffic
Capture local database traffic:
# MySQL on localhost
tcpdump -i lo port 3306
# With packet content
tcpdump -i lo -A port 3306
# From specific application
tcpdump -i any 'port 3306 and src host 127.0.0.1'Capture HTTPS/TLS Handshake
Monitor SSL/TLS connection establishment:
# Initial handshake (CLIENT HELLO visible)
tcpdump -A -s 0 'port 443 and tcp[tcpflags] & tcp-syn != 0'
# All HTTPS traffic
tcpdump -n 'port 443'
# Show handshake details
tcpdump -vv 'port 443'Monitor Specific Application
Capture traffic from a single process/IP:
# From single IP
tcpdump -i any src 192.168.1.100
# To single IP
tcpdump -i any dst 10.0.0.5
# Both directions with logging
tcpdump -i any 'host 192.168.1.100 and port 5432' -w postgres_client.pcapSaving and Analyzing with Wireshark
Capture to File
# Long-running capture
tcpdump -i eth0 -w traffic.pcap -c 100000
# With filter
tcpdump -i eth0 -w https_traffic.pcap 'port 443'
# With rotation (1 file per 100MB)
tcpdump -i eth0 -w capture_%.pcap -C 100Analyze Locally
- Transfer the .pcap file to your workstation:
scp user@server:/tmp/capture.pcap ~/Downloads/- Open in Wireshark:
wireshark ~/Downloads/capture.pcap- Apply filters in Wireshark's GUI for deeper analysis
Command-Line Analysis
Use tshark (Wireshark's CLI):
# Count packets by protocol
tshark -r capture.pcap -q -z io,phs
# Extract HTTP requests
tshark -r capture.pcap -Y 'http.request' -T fields -e http.request.method -e http.request.uri
# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,raw,0Performance Tuning
High-Traffic Networks
# Reduce syscall overhead (buffer packets)
tcpdump -B 102400 # 100MB buffer
# Timestamp precision (faster than microseconds)
tcpdump -n # No DNS
tcpdump -q # Quiet output
# Limited snapshot length
tcpdump -s 64 # Only first 64 bytes
# Drop privileges
tcpdump -Z nobody
# Write only (skip console output)
tcpdump -w capture.pcap > /dev/nullLong-Running Capture
# Rotate files to avoid filling disk
tcpdump -i eth0 -w capture_%Y%m%d_%H%M%S.pcap -G 3600 -C 500
# Background with nohup
nohup tcpdump -i eth0 -w traffic.pcap &
# Systemd service
systemctl start tcpdumpData Privacy: tcpdump captures full packet content, including credentials, API keys, and personal data. Avoid capturing sensitive ports on production without proper access controls. Always sanitize captures before sharing.
Advanced Analysis: For complex protocol analysis, use tshark (CLI Wireshark) for statistics, stream following, and advanced filtering. Tshark reads .pcap files and provides metrics like packet loss and latency calculations.
Useful Flag Reference
| Flag | Purpose |
|---|---|
-i eth0 | Interface (use -i any for all) |
-n | No DNS resolution |
-A | Print ASCII content |
-x | Print hex content |
-X | Print hex and ASCII |
-v / -vv | Verbosity |
-c 100 | Stop after 100 packets |
-s 0 | Full packet capture |
-w file.pcap | Write to file |
-r file.pcap | Read from file |
-tttt | Human-readable timestamps |
strace and lsof - Process Debugging Tools
Debug stuck processes, trace system calls, find open files/ports, and analyze file descriptors with strace and lsof.
LVM - Logical Volume Manager
Manage disk storage flexibly with LVM: resize volumes online, add disks, create snapshots, and use thin provisioning.