tcpdump
Notes for using tcpdump to capture and inspect network traffic on Linux/RHEL systems.
Use this page when troubleshooting connectivity, ports, DNS, HTTP/HTTPS reachability, packet flow, or network problems.
Safety rule
tcpdump can capture sensitive data.
Before running it, check:
1. Am I on the correct server?
2. Is this production or test?
3. What traffic am I allowed to capture?
4. Am I capturing only what I need?
5. Could the capture contain passwords, tokens, cookies, or customer data?
6. Where will I store the capture file?
7. Who is allowed to receive the capture file?
Do not capture more than needed.
Check if tcpdump is installed
tcpdump --version
If not installed:
sudo dnf install tcpdump
Find network interface
Show interfaces
ip a
or:
ip link
Common interface names:
eth0
ens192
ens224
eno1
bond0
Basic capture
Capture on one interface
sudo tcpdump -i INTERFACE
Example:
sudo tcpdump -i eth0
Stop with:
Ctrl + C
Capture without DNS/name resolution
This is usually better for troubleshooting:
sudo tcpdump -nn -i INTERFACE
Meaning:
-nn = do not resolve hostnames or port names
More readable output
sudo tcpdump -nn -i INTERFACE -vv
Capture by host
Capture traffic to or from one host
sudo tcpdump -nn -i INTERFACE host HOST_IP
Example:
sudo tcpdump -nn -i eth0 host 192.0.2.10
Capture traffic from source host
sudo tcpdump -nn -i INTERFACE src host HOST_IP
Capture traffic to destination host
sudo tcpdump -nn -i INTERFACE dst host HOST_IP
Capture by port
Capture one port
sudo tcpdump -nn -i INTERFACE port PORT
Example:
sudo tcpdump -nn -i eth0 port 443
Capture source port
sudo tcpdump -nn -i INTERFACE src port PORT
Capture destination port
sudo tcpdump -nn -i INTERFACE dst port PORT
Capture by protocol
ICMP / ping
sudo tcpdump -nn -i INTERFACE icmp
Use this while running:
ping -c 4 HOST
TCP only
sudo tcpdump -nn -i INTERFACE tcp
UDP only
sudo tcpdump -nn -i INTERFACE udp
DNS traffic
DNS usually uses port 53.
sudo tcpdump -nn -i INTERFACE port 53
HTTP traffic
sudo tcpdump -nn -i INTERFACE port 80
HTTPS traffic
sudo tcpdump -nn -i INTERFACE port 443
SSH traffic
sudo tcpdump -nn -i INTERFACE port 22
Combine filters
Host and port
sudo tcpdump -nn -i INTERFACE host HOST_IP and port PORT
Example:
sudo tcpdump -nn -i eth0 host 192.0.2.10 and port 443
Source and destination
sudo tcpdump -nn -i INTERFACE src host SOURCE_IP and dst host DESTINATION_IP
Host and TCP port
sudo tcpdump -nn -i INTERFACE tcp and host HOST_IP and port PORT
Save capture to file
Use .pcap files when the capture needs to be opened in Wireshark.
sudo tcpdump -nn -i INTERFACE -w /tmp/capture.pcap
Example:
sudo tcpdump -nn -i eth0 -w /tmp/capture.pcap
Stop with:
Ctrl + C
Save limited number of packets
Capture only 100 packets:
sudo tcpdump -nn -i INTERFACE -c 100 -w /tmp/capture.pcap
Save with host and port filter
sudo tcpdump -nn -i INTERFACE host HOST_IP and port PORT -w /tmp/capture.pcap
Example:
sudo tcpdump -nn -i eth0 host 192.0.2.10 and port 443 -w /tmp/capture.pcap
Read a capture file
tcpdump -nn -r /tmp/capture.pcap
More detail:
tcpdump -nn -r /tmp/capture.pcap -vv
Capture packet size
By default, tcpdump may not capture the full packet.
Capture full packets:
sudo tcpdump -nn -s 0 -i INTERFACE -w /tmp/capture.pcap
Useful full capture example:
sudo tcpdump -nn -s 0 -i eth0 host 192.0.2.10 and port 443 -w /tmp/capture.pcap
Rotate capture files
Useful if capture may run longer.
Example: rotate every 60 seconds, keep 5 files:
sudo tcpdump -nn -s 0 -i INTERFACE -G 60 -W 5 -w /tmp/capture-%Y%m%d-%H%M%S.pcap
Be careful with disk space.
Common troubleshooting examples
Check if server receives traffic on port 443
sudo tcpdump -nn -i INTERFACE port 443
Then test from client:
curl -I https://SERVER_NAME
If packets arrive, network path to the server is working at least partly.
Check if server receives SSH traffic
sudo tcpdump -nn -i INTERFACE port 22
Then try SSH from client:
ssh USERNAME@SERVER_NAME
Check if DNS requests are leaving server
sudo tcpdump -nn -i INTERFACE port 53
Then run:
dig example.com
Check ping traffic
sudo tcpdump -nn -i INTERFACE icmp
Then run:
ping -c 4 HOST
Check traffic between two hosts
sudo tcpdump -nn -i INTERFACE host HOST_A and host HOST_B
TCP flags quick notes
Common TCP flags:
S = SYN
S. = SYN-ACK
. = ACK
F = FIN
R = RST
P = PUSH
Basic TCP handshake:
Client โ Server: SYN
Server โ Client: SYN-ACK
Client โ Server: ACK
If you see repeated SYN without SYN-ACK, the server may not be responding or traffic may be blocked.
If you see RST, something is rejecting or closing the connection.
First command set for tcpdump troubleshooting
ip a
ip r
ss -tulpn
sudo tcpdump -nn -i INTERFACE host HOST_IP
sudo tcpdump -nn -i INTERFACE port PORT
sudo tcpdump -nn -i INTERFACE host HOST_IP and port PORT
How to choose the interface
Check route to destination:
ip route get DESTINATION_IP
Example:
ip route get 192.0.2.10
The output usually shows which interface is used.
Then capture on that interface:
sudo tcpdump -nn -i INTERFACE host DESTINATION_IP
Dangerous or risky actions
Be careful with:
capturing too much traffic
saving large pcap files
sharing pcap files externally
capturing authentication traffic
capturing customer data
leaving tcpdump running
writing captures to small filesystems like /tmp or /
Safe capture workflow
1. Identify the problem.
2. Identify source IP, destination IP, and port.
3. Identify the correct interface.
4. Use a narrow tcpdump filter.
5. Limit packet count or capture time.
6. Save to a safe location if needed.
7. Stop capture.
8. Remove or secure capture file after use.
Example:
ip route get DESTINATION_IP
sudo tcpdump -nn -s 0 -i INTERFACE host DESTINATION_IP and port PORT -c 200 -w /tmp/capture.pcap
tcpdump -nn -r /tmp/capture.pcap
Personal notes
Add sanitized examples here.
Examples:
- Traffic reached the server but the service was not listening.
- SYN packets arrived but no SYN-ACK returned.
- DNS queries were sent to the wrong DNS server.
- Firewall blocked the expected port.
- Capture file was too large because filter was too broad.