tcpdump Command Builder

tcpdump is a command-line packet analyzer available on Linux, macOS, and BSD systems. Network engineers use it to capture and inspect live traffic on an interface, filter packets by host, port, or protocol, and write captures to .pcap files for analysis in Wireshark. It is one of the most essential tools for troubleshooting connectivity issues, validating firewall rules, and diagnosing application-layer problems at the network level. Use the command builder below to generate the exact syntax you need, or browse the reference section for common one-liners.

Command Builder

Interface

Host / IP

Port

Protocol

Direction

Snap Length

Write to File (.pcap)

Read from File

Packet Count

Net / Subnet

-n (no DNS resolution)

-e (print MAC addresses)

-v (verbose)

-vv (more verbose)

-X (hex + ASCII)

-A (ASCII only)

-tt (absolute timestamps)

$tcpdump -n

Quick Reference

// Capture Basics

Capture on interface, no DNS

tcpdump -ni eth0

Capture all interfaces

tcpdump -ni any

List available interfaces

tcpdump -D

Capture N packets then stop

tcpdump -ni eth0 -c 100

// Filtering

Filter by host

tcpdump -ni eth0 host 10.0.0.1

Filter by port

tcpdump -ni eth0 port 443

Source host only

tcpdump -ni eth0 src host 10.0.0.1

Destination port only

tcpdump -ni eth0 dst port 80

Filter by subnet

tcpdump -ni eth0 net 192.168.1.0/24

Host AND port

tcpdump -ni eth0 host 10.0.0.1 and port 443

Exclude SSH port

tcpdump -ni eth0 not port 22

TCP only

tcpdump -ni eth0 tcp

ICMP only (ping)

tcpdump -ni eth0 icmp

// Write & Read pcap

Write full packets to file

tcpdump -ni eth0 -s0 -w capture.pcap

Capture with filter, write to file

tcpdump -nei igb3 host 10.0.0.1 and port 443 -s0 -w capture.pcap

Read from pcap file

tcpdump -r capture.pcap

Read pcap with filter

tcpdump -r capture.pcap host 10.0.0.1

Rotate files every 100MB

tcpdump -ni eth0 -C 100 -w capture.pcap

// Display & Verbosity

Show hex + ASCII payload

tcpdump -ni eth0 -X port 80

Show MAC addresses

tcpdump -nei eth0

Verbose output

tcpdump -ni eth0 -vv

Absolute timestamps

tcpdump -ni eth0 -tt

Field Notes on tcpdump

tcpdump is built on libpcap, the same packet-capture library Wireshark uses. Capturing requires raw socket access, which on Linux/BSD/macOS means root or the cap_net_raw capability. If tcpdump errors with permission denied, you almost certainly need sudo — or, on a server you don't want to run tcpdump as root, grant the binary the capability with setcap cap_net_raw,cap_net_admin=eip $(which tcpdump).

The filter syntax is BPF (Berkeley Packet Filter) — the same syntax Wireshark uses for its capture filters (not display filters; see the Wireshark page for the difference). BPF runs in the kernel, so the filter happens before packets ever cross to userspace. That's what makes tcpdump fast enough to run on a busy production interface — only matching packets get copied.

Common workflow: capture broadly to a file, then analyze offline. tcpdump -ni igb3 -s0 -w capture.pcap writes full-size packets (no truncation) to disk, then you scp the file off and open it in Wireshark on your laptop. This beats running Wireshark on production gear, which is rarely a good idea — Wireshark's parsers have a much bigger attack surface than tcpdump's, and the GUI fights you on slow links.

A few flags to keep in muscle memory: -i picks the interface (always specify it — defaults vary across systems, and -i any on Linux can give surprising results because it doesn't see VLAN tags). -n skips DNS resolution — without it tcpdump fires reverse-DNS queries for every IP, which is slow, leaks the addresses you're investigating, and clutters the output. -vv for verbose, -c N to stop after N packets. Snap length -s 0 means "capture full packets" (modern default; older tcpdumps truncated to 68 or 96 bytes by default).