What is TCPDump and Why Use It?


In the modern world, a fast and reliable internet connection is a fundamental necessity for the smooth and efficient operation of tasks. However, we may encounter issues with network connections from time to time. The internet connection might be slow, there could be difficulty accessing a particular website, or a network application might not function as expected. An effective way to deal with such situations is by monitoring and analyzing network traffic. This is where tools like TCPDump come into play.

What is TCPDump?

TCPDump is a network packet analyzer available on most UNIX and UNIX-like operating systems. It is a powerful tool for monitoring, analyzing, and diagnosing issues in network traffic. TCPDump can capture all packets on the network and display details of these packets to the user, allowing them to observe interactions on the network, analyze network traffic, and identify errors.

Useful Options and Filters:

TCPDump offers a range of options and filters to accommodate various network traffic analysis scenarios. Some useful commonly used options and filters include:

Useful Options:

  • -c <count>: Captures a specified number of packets and then exits.
  • -n: Does not resolve IP addresses, shows numerical addresses instead.
  • -vv: Provides detailed output at multiple levels.
  • -A: Displays ASCII content of packets.
  • -w <file>: Writes output to the specified file.
  • -i <interface>: Selects a specific network interface (e.g., eth0).
  • -s <packet_size>: Snaps <packet_size> bytes of data from each packet (default is 68).

Useful Filters:

  • host <ip_address>: Filters traffic for a specific IP address.
  • net <ip_address>: Filters traffic for a specific IP network.
  • port <port_number>: Filters traffic for a specific port.
  • src <ip_address>: Filters traffic from a specific source IP address.
  • dst <ip_address>: Filters traffic for a specific destination IP address.

TCPDump is a powerful command-line packet analyzer commonly used for network troubleshooting and monitoring. Here are 15 different usage examples:

what is tcpdump
tcpdump command
  • Capture Traffic on a Specific Interface:
$ tcpdump -i eth0
  • Capture Traffic on a Specific Port:
$ tcpdump port 80
  • Capture Traffic from a Specific IP Address:
$ tcpdump host
  • Capture Traffic from a Specific Subnet:
$ tcpdump net
  • Capture Traffic to a Specific IP Address:
$ tcpdump dst host
$ tcpdump icmp
  • Capture Traffic from a Specific IP Address and Port:
$ tcpdump host and port 22
  • Capture and Display Packet Headers in ASCII:
$ tcpdump -A
  • Capture and Save Output to a File:
$ tcpdump -w output.pcap
  • Read Saved Capture File:
$ tcpdump -r input.pcap
  • Display Captured Packets with Timestamps:
$ tcpdump -tttt
  • Capture IPv6 Traffic:
$ tcpdump ip6


  • Root privileges are required to use TCPDump.
  • Filter expressions can be combined with logical operators (andornot) for multiple filters.
  • Excessive data capture by TCPDump may impact performance, so it should be used carefully.
  • Output files can be large, so disk space should be managed carefully.
  • TCPDump can be used in security controls such as vulnerability detection and network intrusion detection.
  • Users often use graphical interface tools like Wireshark to process or analyze the output of TCPDump.
  • Proper usage and interpretation of TCPDump are critical in network security and troubleshooting processes.


TCPDump is a powerful and flexible tool for monitoring and analyzing network traffic. By offering users various options and filters, it accommodates different scenarios. In this article, we explored what TCPDump is, its useful options and filters, as well as example uses. This information serves as an important resource for users in diagnosing and resolving network issues.

Leave a Comment

Join our Mailing list!

Get all latest news, exclusive deals and academy updates.