tcpdump is a useful packet analyzer distributed under the BSD license. It is included with most Linux and Unix distros, and it’s available for Windows using the Winpcap library.

As you might imagine, tcpdump is excellent at troubleshooting problematic connections to remote systems where the cause is otherwise unclear. This is particularly useful for getting around, say, database administrators who won’t admit that their database even exists, much less that you can connect to it.

As always, man tcpdump gives you all options, as well as a good overview of network packets. An overview of network and transport layer protocols may also be of value here.

Useful Command Line Switches

Usage is tcpdump -switch

-APrint every packet in ASCII
-c xOnly get x number of packets and then stop
-DShow the list of available capture interfaces; synonymous with –list-interfaces
-eGet the ethernet header as well
-EDecrypt IPSEC traffic by providing an encryption key
-i anyListen on all interfaces just to see if you’re seeing any traffic; synonymous with –interface=any
-i eth0Listen on the eth0 interface
-nDon’t resolve host names
-nnDon’t resolve host names or port numbers
-qPrint less protocol information with your output; usually easier reading
-r fileRead capture data from file into tcpdump
-sDefine the snaplength (size) of the capture in bytes. Use -s 1514 to get everything, unless you are intentionally capturing less
-SPrint absolute sequence numbers
-tOmit the timestamp from each dump line
-v, -vv, -vvvIncrease the amount of packet information you get back
-w fileWrite the raw packets to file rather than printing them out
-XShow the packet’s contents in both hex and ASCII
-XXSame as -X, but also shows the ethernet header


Usage is tcpdump -switch argument

dstOnly capture packets with specified destination
greaterSet minimum packet size
hostSpecify a host, can be IP address or hostname (if not using -n); to specify origin or destination host, just use src or dst. i.e., host captures all traffic to and from, while src captures traffic departing from that address.
icmp/udp/tcpOnly get ICMP or UDP or TCP packets
lessSet maximum packet size
netCapture an entire network
portCapture traffic to or from the specified port; use src port or dst port to specify origin port or destination port
portrangeCapture traffic to or from the specified port range; use src portrange or dst portrange to specify origin or destination
srcOnly capture packets originating from src


Note: ‘and’ and ‘not’ can be abbreviated as ‘&’ and ‘!=’.

Capture all packets arriving at or departing from thiscomp:

$ tcpdump host thiscomp

Capture packets departing from destined for port 5432 (i.e., PostgreSQL):

$ tcpdump src and dst port 5432

Capture TCP packets departing from thiscomp destined for port 1433 on database (i.e., MSSQL):

$ tcpdump tcp and src thiscomp and dst port 1433 and dst database

Capture traffic between thiscomp and either google or microsoft:

$ tcpdump host thiscomp and ( google or microsoft )

Capture traffic departing from network 216.58 to the SSH port, write to file:

$ tcpdump -w capture_file src net and dst port 22

Capture traffic departing from network 216.58 and not to the SSH or MySQL ports:

$ tcpdump src net and not (dst port 22 or 3306)

Capture SYN and FIN packets (start/end packets) departing from network 216.58, not to the SSH or MySQL ports:

$tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and src net and not (dst port 22 or 3306)'


Leave a Reply

Your email address will not be published. Required fields are marked *