capturing and reading traffic with tcpdump
Using tcpdump to capture, filter, and interpret live network traffic from the command line.
Project Description
As part of a network visibility exercise, I used tcpdump to capture live traffic on my local interface and analyze what was actually moving across the wire. It is easy to assume a network is quiet until you actually look at it. tcpdump makes that looking very straightforward, and very revealing.
This is one of those tools that rewards patience. The output looks dense at first, but once you understand what each field means the picture it builds is remarkably detailed.
Capturing Traffic
To start a basic capture on the primary interface:
1
sudo tcpdump -i eth0
The -i flag selects the interface. Replace eth0 with whatever ip a shows for your active interface (ens3, wlan0, etc.). Without filters this will flood your terminal quickly, so in practice you almost always want to narrow it down.
To capture to a file for later analysis in Wireshark or tshark:
1
sudo tcpdump -i eth0 -w capture.pcap
Filtering
Filters are where tcpdump becomes genuinely useful. The Berkeley Packet Filter (BPF) syntax lets you get very specific:
1
2
3
4
5
6
7
8
9
10
11
# Only HTTP and HTTPS traffic
sudo tcpdump -i eth0 port 80 or port 443
# Traffic to or from a specific host
sudo tcpdump -i eth0 host 192.168.1.1
# Only TCP SYN packets (connection attempts)
sudo tcpdump -i eth0 'tcp[tcpflags] == tcp-syn'
# DNS queries only
sudo tcpdump -i eth0 udp port 53
Combining filters with and, or, and not lets you slice traffic very precisely without capturing everything and sorting through it after the fact.
Reading the Output
A typical line looks like this:
1
12:34:56.789012 IP 192.168.1.42.52318 > 8.8.8.8.53: UDP, length 33
Breaking it down:
- timestamp: microsecond precision
- protocol: IP, ARP, ICMP, etc.
- source:port > destination:port: direction of the packet
- protocol details: TCP flags, UDP, ICMP type, etc.
- length: payload size in bytes
For TCP specifically, you’ll see flags like [S] (SYN), [S.] (SYN-ACK), [.] (ACK), [P.] (PSH-ACK, data), [F.] (FIN). Watching a full three-way handshake followed by data transfer followed by FIN gives you a real sense of how TCP actually behaves in the wild.
Security Relevance
Domain 1: Threats and Vulnerabilities Identifying unusual traffic patterns, unexpected protocols, or connections to suspicious destinations.
Domain 3: Implementation Understanding how protocols behave at the packet level informs better firewall rules and network segmentation decisions.
Domain 4: Security Operations
tcpdump is a staple in incident response. When something goes wrong, a packet capture is often the first thing a responder reaches for.
Summary
tcpdump is low overhead, ships on virtually every Unix-like system, and requires nothing but a terminal and the right permissions. There is no substitute for actually watching traffic. Theoretical knowledge of how TCP works is useful; watching a handshake, a retransmit, and a RST in real time is something else entirely.
Combined with Wireshark for visual analysis or tshark for scripting, this becomes a very capable packet analysis workflow without spending anything or installing much.
Use Case: Traffic baseline analysis, anomaly detection, protocol debugging, and incident response on any Linux or BSD system.