tcpdump: A Sysadmin’s Pocket Knife

tcpdump

If Wireshark is the full-featured X-ray machine for your network, then tcpdump is the Swiss Army knife you keep in your pocket. It’s lightweight, command-line based, and perfect when you need to quickly see what’s happening on the wire, especially on servers where a GUI isn’t an option.

In this post, we’ll cover how to install tcpdump, walk through its basic usage, and show some practical examples that can save your day.

tcpdump: A Sysadmin’s Pocket Knife

Installing tcpdump

tcpdump is available on most Unix-like systems out of the box, or just a package away. So, you only need to run something like this to have it installed:

# Debian-based:
sudo apt update
sudo apt install tcpdump

# RedHat-based:
sudo dnf install tcpdump

# macOS (Homebrew):
brew install tcpdump

tcpdump usage

The simplest form is:

sudo tcpdump

This immediately starts capturing traffic on the default network interface, printing each packet in real time. But tcpdump’s real power comes from specifying what, how much, and how you want to capture.

Common Options

The most common option to run tcpdump are:

  • -i: Specify the interface (e.g. -i eth0).
  • -n: Don’t resolve hostnames; show raw IPs (faster, less noisy).
  • -nn: Don’t resolve port numbers either; show raw ports.
  • -c: Capture only a fixed number of packets.
  • -w: Write raw packets to a file for later analysis (e.g. with Wireshark).
  • -r: Read from a saved capture file.

Filters

Just like Wireshark, tcpdump lets you apply filters, but the syntax is a bit simpler:

  • tcpdump port 80: Capture only HTTP traffic.
  • tcpdump host 192.168.1.10: Capture all traffic to/from a host.
  • tcpdump src 10.0.0.5: Capture traffic only from a specific source.
  • tcpdump dst 8.8.8.8: Capture traffic only to a specific destination.
  • tcpdump tcp and port 22: Capture only TCP traffic on port 22 (SSH).

You can chain filters with and, or, and not. For example:

tcpdump tcp and port 443 and host 192.168.1.50

This captures HTTPS traffic for a single host.

Practical Use Cases

  • Check if traffic is flowing. Quickly see if DNS queries are leaving the server:
tcpdump -i eth0 port 53
  • Debug latency or dropped packets. Look at TCP handshakes, retransmissions, or resets:
tcpdump -i eth0 tcp port 443 -vvv
  • Capture for later analysis in Wireshark:
tcpdump -i eth0 -w capture.pcap
  • Watch only the first few packets of a session:
tcpdump -i eth0 port 22 -c 10

Why tcpdump Still Matters

Even though Wireshark is more visual, tcpdump remains invaluable because:

  • It runs anywhere, even on headless servers.
  • It’s fast and scriptable.
  • It’s often already installed by default (or, if not, it’s easy to install).
  • It can create captures that you later inspect in Wireshark.

For many sysadmins and DBAs, tcpdump is the first tool you reach for when something feels “off” with the network.

Final Thoughts

tcpdump may look spartan compared to Wireshark, but don’t underestimate it. With just a few commands, you can troubleshoot DNS issues, confirm whether traffic is encrypted, or capture evidence of dropped connections. The key is knowing how to apply the right filters so you don’t drown in data.

Leave a Reply

Your email address will not be published. Required fields are marked *

two + four =