From Network Security Wiki


  • TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.
tcpdump -i eth0
  • TCPDump uses libpcap which processes packets before they get processed by IPTables.
  • Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables.
  • TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.


Source: []

  • General TCPDump command:
sudo tcpdump -s 0 -i ens160 host -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host and port 22 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host and port not 22 and port not 80 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap

Description Command
Capture packets from a particular interface tcpdump -i eth1
Capture only N number of packets tcpdump -c 200 -i eth0
Display Captured Packets in ASCII tcpdump -A -i eth0
Display Captured Packets in HEX and ASCII tcpdump -XX -i eth0
Capture the packets and write into a file tcpdump -w 08232010.pcap -i eth0
Capture packets with IP address without DNS resolution tcpdump -n -i eth0
Capture packets with proper readable timestamp tcpdump -n -tttt -i eth0
Read packets only longer or smaller than N bytes tcpdump -w capture.pcap greater 1024
tcpdump -w capture.pcap less 1024
Receive only the packets of a specific protocol type tcpdump -i eth0 arp
Receive packets flows on a particular port tcpdump -i eth0 port 22
Capture packets for particular destination IP and Port tcpdump -w xpackets.pcap -i eth0 dst and port 22
Capture TCP communication packets between two hosts tcpdump -w comm.pcap -i eth0 udp and \(host and host\)
Capture all the packets other than arp and rarp
'and' 'or' and 'not' condition are used to filter the packets
tcpdump -i eth0 not arp and not rarp

Reading PCAPs

Header text Header text
Reading pcap file tcpdump -r data.pcap
Viewing all headers tcpdump -e -nn -vv -r data.pcap
Viewing hexadecimal data tcpdump -XX -r data.pcap

TCPDump Parameters


Symbol Words
! not
&& and
|| or


Filter Description
udp dst port not 53 UDP not bound for port 53
host && host Traffic between these hosts
tcp dst port 80 or 8080 Packets to either TCP port

Protocol keywords

arp ether icmp
ip ip6 ppp
rarp tcp udp

TCP Flags

Flag Keywords
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-psh tcp-fin

Capture Filter Primitives

Filter Description
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression

Command Line Options

-A 		Print frame payload in ASCII
-c <count> 	Exit after capturing count packets
-D 		List available interfaces
-e 		Print link-level headers
-F <file> 	Use file as the filter expression
-G <n> 	Rotate the dump file every n seconds
-i <iface> 	Specifies the capture interface
-K 		Don't verify TCP checksums
-L 		List data link types for the interface
-n 		Don't convert addresses to names
-p 		Don't capture in promiscuous mode
-q 		Quick output
-r <file> 	Read packets from file
-s <len> 	Capture up to len bytes per packet
-S 		Print absolute TCP sequence numbers
-t 		Don't print timestamps
-v[v[v]] 	Print more verbose output
-w <file> 	Write captured packets to file
-x 		Print frame payload in hex
-X 		Print frame payload in hex and ASCII
-y <type> 	Specify the data link type

Docker Packet Captures

docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap

Advanced Packet Filtering

  • List interesting traffic from all the PCAP files:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host or host and host and port 445' ; echo -e "\n"; done


{{#widget:DISQUS |id=networkm |uniqid=TCPDump |url= }}