As a Linux system administrator, understanding what happens on your network is crucial. One of the most powerful tools to monitor network traffic directly from the command line is tcpdump. It’s lightweight, pre-installed on many distros, and extremely versatile for capturing and analyzing packets.
In this guide, we’ll walk through what tcpdump is, how to use it, and practical examples tailored for beginner sysadmins.
🔧 What is tcpdump?
tcpdump is a command-line packet analyzer. It allows you to capture and display network packets transmitted over a network interface. It works by using the libpcap library to sniff and filter traffic.
It’s like a real-time log of the conversations your server is having on the network — and you’re invited to listen in.
📦 Installing tcpdump
On most distributions, it’s available via the default package manager:
bashCopyEdit# Debian/Ubuntu
sudo apt install tcpdump
# RHEL/CentOS/AlmaLinux
sudo dnf install tcpdump
# Arch Linux
sudo pacman -S tcpdump
You can verify installation with:
bashCopyEdittcpdump --version
🕵️‍♂️ Basic Usage
To capture packets on your default network interface:
bashCopyEditsudo tcpdump
You’ll see a flood of real-time traffic. Use Ctrl + C to stop capturing.
📡 Capture Traffic on a Specific Interface
To list available interfaces:
bashCopyEdittcpdump -D
To capture on a specific one:
bashCopyEditsudo tcpdump -i eth0
🔍 Filter by Protocol
- Only TCP traffic: bashCopyEdit
sudo tcpdump tcp - Only UDP: bashCopyEdit
sudo tcpdump udp - Only ICMP (ping): bashCopyEdit
sudo tcpdump icmp
🎯 Capture Packets for a Specific IP or Port
- From or to a specific IP: bashCopyEdit
sudo tcpdump host 192.168.1.100 - Only incoming packets to port 80 (HTTP): bashCopyEdit
sudo tcpdump dst port 80 - All traffic involving port 22 (SSH): bashCopyEdit
sudo tcpdump port 22
đź“ť Save Captures to a File
You can save output to a .pcap file for later analysis with tools like Wireshark:
bashCopyEditsudo tcpdump -i eth0 -w capture.pcap
To read the file:
bashCopyEditsudo tcpdump -r capture.pcap
⏱️ Capture a Limited Number of Packets
Use the -c option to avoid overwhelming output:
bashCopyEditsudo tcpdump -c 10
đź“› Human-Readable Output
To make packet contents easier to understand:
bashCopyEditsudo tcpdump -n -v
-n: Don’t resolve hostnames.-v: Verbose output (use-vvor-vvvfor more detail).
đź’ˇ Practical Examples
1. Monitor HTTP traffic to your server:
bashCopyEditsudo tcpdump -i eth0 dst port 80
2. Debug SSH connection issues:
bashCopyEditsudo tcpdump -i eth0 port 22
3. Capture traffic from a specific IP:
bashCopyEditsudo tcpdump -i eth0 host 10.0.0.50
⚠️ Tips & Warnings
- Always run
tcpdumpwithsudoto access network interfaces. - Don’t leave
tcpdumprunning unattended — it can quickly consume disk space. - Be mindful of privacy: you’re capturing raw packet data.
- Consider using
screenortmuxif running remotely.
🧠Final Thoughts
tcpdump is an essential tool in every Linux sysadmin’s toolkit. Whether you’re diagnosing a network issue, checking for suspicious traffic, or just learning how networking works — it’s a great place to start.
As you grow, you can combine tcpdump with tools like awk, grep, or Wireshark to do even deeper analysis.
