tcpdump
Network packet capture and analysis - BPF filters, TCP analysis, protocol debugging, 802.1X/RADIUS, Wireshark integration.
tcpdump Basics
# List interfaces
tcpdump -D
tcpdump --list-interfaces
# Basic capture (requires root)
sudo tcpdump -i eth0
sudo tcpdump -i any # All interfaces
# Limit packet count
sudo tcpdump -i eth0 -c 100 # Stop after 100 packets
# Don't resolve hostnames (faster)
sudo tcpdump -i eth0 -n
# Don't resolve hostnames OR ports
sudo tcpdump -i eth0 -nn
# Verbose output
sudo tcpdump -i eth0 -v # Verbose
sudo tcpdump -i eth0 -vv # More verbose
sudo tcpdump -i eth0 -vvv # Maximum verbosity
# Show packet contents (hex + ASCII)
sudo tcpdump -i eth0 -X
sudo tcpdump -i eth0 -XX # Include link-layer header
# Timestamp formats
sudo tcpdump -i eth0 -tttt # Human-readable timestampsMUSCLE MEMORY: sudo tcpdump -i eth0 -nn is your default starting point.
Capture to File
# Write to pcap file (for Wireshark analysis)
sudo tcpdump -i eth0 -w capture.pcap
# Write with rotation (100MB files, keep 10)
sudo tcpdump -i eth0 -w capture.pcap -C 100 -W 10
# Write with timestamp in filename
sudo tcpdump -i eth0 -w "capture_%Y%m%d_%H%M%S.pcap" -G 3600
# Read from pcap file
tcpdump -r capture.pcap
tcpdump -r capture.pcap -nn
# Filter while reading
tcpdump -r capture.pcap 'port 443'
# Snap length (capture first N bytes per packet)
sudo tcpdump -i eth0 -s 96 -w capture.pcap # Headers only
sudo tcpdump -i eth0 -s 0 -w capture.pcap # Full packets (default)BEST PRACTICE: Capture with -w, then analyze with -r or Wireshark.
BPF Filters (Berkeley Packet Filter)
# Host filters
sudo tcpdump -i eth0 host 10.50.1.20
sudo tcpdump -i eth0 src host 10.50.1.20
sudo tcpdump -i eth0 dst host 10.50.1.20
# Network filters
sudo tcpdump -i eth0 net 10.50.1.0/24
sudo tcpdump -i eth0 src net 192.168.0.0/16
# Port filters
sudo tcpdump -i eth0 port 443
sudo tcpdump -i eth0 src port 443
sudo tcpdump -i eth0 dst port 443
sudo tcpdump -i eth0 portrange 8000-9000
# Protocol filters
sudo tcpdump -i eth0 tcp
sudo tcpdump -i eth0 udp
sudo tcpdump -i eth0 icmp
sudo tcpdump -i eth0 arp
# Combine with AND/OR/NOT
sudo tcpdump -i eth0 'host 10.50.1.20 and port 443'
sudo tcpdump -i eth0 'port 80 or port 443'
sudo tcpdump -i eth0 'not port 22'
sudo tcpdump -i eth0 'host 10.50.1.20 and not port 22'
# Complex filters (use quotes)
sudo tcpdump -i eth0 '(host 10.50.1.20 or host 10.50.1.21) and port 443'
sudo tcpdump -i eth0 'tcp and (port 80 or port 443) and not host 10.50.1.1'GOTCHA: Use single quotes around filters to prevent shell interpretation.
TCP Analysis
# TCP flags filter
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0' # SYN
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-ack != 0' # ACK
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0' # FIN
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0' # RST
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-push != 0' # PSH
# SYN only (new connections)
sudo tcpdump -i eth0 'tcp[tcpflags] == tcp-syn'
# SYN-ACK (connection accepted)
sudo tcpdump -i eth0 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
# RST packets (connection refused/reset)
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'
# Find retransmissions (requires analysis)
# Look for duplicate SEQ numbers in output
# TCP handshake (SYN, SYN-ACK, ACK)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' -c 100DEBUGGING: RST packets often indicate firewall blocks or service not listening.
Protocol-Specific Filters
# DNS traffic
sudo tcpdump -i eth0 'port 53'
sudo tcpdump -i eth0 'udp port 53' # DNS queries
sudo tcpdump -i eth0 'tcp port 53' # DNS zone transfers
# HTTP/HTTPS
sudo tcpdump -i eth0 'port 80 or port 443'
sudo tcpdump -i eth0 'tcp port 80' -A # Show ASCII (HTTP content)
# DHCP
sudo tcpdump -i eth0 'port 67 or port 68'
sudo tcpdump -i eth0 'udp and (port 67 or port 68)'
# NTP
sudo tcpdump -i eth0 'port 123'
# ICMP (ping)
sudo tcpdump -i eth0 icmp
sudo tcpdump -i eth0 'icmp[icmptype] == icmp-echo' # Echo request
sudo tcpdump -i eth0 'icmp[icmptype] == icmp-echoreply' # Echo reply
# ARP
sudo tcpdump -i eth0 arp
sudo tcpdump -i eth0 'arp[6:2] == 1' # ARP request
sudo tcpdump -i eth0 'arp[6:2] == 2' # ARP reply
# VLAN tagged traffic
sudo tcpdump -i eth0 vlan
sudo tcpdump -i eth0 'vlan and host 10.50.1.20'802.1X: RADIUS is UDP 1812/1813, EAP over RADIUS requires deeper analysis.
802.1X / RADIUS Debugging
# RADIUS authentication (1812) and accounting (1813)
sudo tcpdump -i eth0 'port 1812 or port 1813'
# EAPoL (EAP over LAN) - Layer 2
sudo tcpdump -i eth0 'ether proto 0x888e'
# RADIUS + verbose to see Access-Request/Accept/Reject
sudo tcpdump -i eth0 -vvv 'port 1812'
# Capture RADIUS for analysis
sudo tcpdump -i eth0 -w radius.pcap 'port 1812 or port 1813'
# Then open in Wireshark with RADIUS dissector
# Find authentication failures
# In Wireshark: radius.code == 3 (Access-Reject)
# Capture on ISE PSN interface
# (Run on ISE via SSH if accessible)
sudo tcpdump -i eth0 'port 1812' -c 50 -nn
# Monitor switch-to-ISE communication
sudo tcpdump -i eth0 'host 10.50.1.20 and (port 1812 or port 1813)'ISE DEBUGGING: Combine tcpdump with ISE Live Logs for correlation.
TLS/SSL Analysis
# HTTPS traffic
sudo tcpdump -i eth0 'port 443'
# TLS Client Hello (SNI extraction requires Wireshark)
sudo tcpdump -i eth0 'tcp port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16'
# Capture for Wireshark TLS analysis
sudo tcpdump -i eth0 -w tls.pcap 'port 443'
# Certificate issues? Look for:
# - TCP RST after Client Hello (cert rejected)
# - Connection close after Server Hello (cipher mismatch)
# LDAPS
sudo tcpdump -i eth0 'port 636'
# IMAPS/SMTPS
sudo tcpdump -i eth0 'port 993 or port 465 or port 587'DECRYPTION: Need private key or SSLKEYLOGFILE for encrypted content.
Common Troubleshooting Scenarios
# "Connection refused" - Check if SYN gets RST
sudo tcpdump -i eth0 'host TARGET_IP and port TARGET_PORT' -nn
# "Connection timeout" - Check if SYN reaches destination
sudo tcpdump -i eth0 'tcp[tcpflags] == tcp-syn and host TARGET_IP'
# "No route to host" - Check ICMP unreachable
sudo tcpdump -i eth0 'icmp and host TARGET_IP'
# DNS resolution issues
sudo tcpdump -i eth0 'port 53 and host DNS_SERVER'
# MTU/fragmentation issues
sudo tcpdump -i eth0 'ip[6:2] & 0x1fff != 0' # Fragmented packets
# Duplicate IP detection
sudo tcpdump -i eth0 arp | grep -i "is-at"
# Find who's talking to a host
sudo tcpdump -i eth0 'host 10.50.1.20' -nn | awk '{print $3}' | cut -d. -f1-4 | sort -u
# Bandwidth hog detection
sudo tcpdump -i eth0 -c 10000 -nn 2>/dev/null | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | headMETHODOLOGY: Capture on both ends when troubleshooting connectivity.
Power One-Liners
# Top talkers by IP
sudo tcpdump -i eth0 -c 1000 -nn 2>/dev/null | \
awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10
# HTTP requests (GET/POST lines)
sudo tcpdump -i eth0 -A -s0 'port 80' 2>/dev/null | \
grep -E '^(GET|POST|PUT|DELETE|HEAD)'
# Extract hostnames from DNS queries
sudo tcpdump -i eth0 -nn 'port 53' 2>/dev/null | \
grep -oE '[A-Za-z0-9.-]+\.(com|org|net|io|dev)' | sort -u
# Monitor specific MAC address
sudo tcpdump -i eth0 'ether host 14:f6:d8:7b:31:80'
# Capture only packet headers (small files)
sudo tcpdump -i eth0 -s 68 -w headers.pcap
# Live packet count by port
sudo tcpdump -i eth0 -nn 2>/dev/null | \
awk '{for(i=1;i<=NF;i++) if($i ~ /\.[0-9]+:/) print $i}' | \
cut -d: -f2 | sort | uniq -c | sort -rn | head
# Find non-standard ports
sudo tcpdump -i eth0 -nn 2>/dev/null | \
grep -vE ':(22|80|443|53|123) ' | head -20
# Hex dump of packet payload
sudo tcpdump -i eth0 -X -c 1 'port 80'Wireshark Integration
# Capture for Wireshark analysis
sudo tcpdump -i eth0 -w capture.pcap -s 0
# Remote capture via SSH (pipe to local Wireshark)
ssh root@remote-host 'tcpdump -i eth0 -w - -s 0' | wireshark -k -i -
# Convert pcap to text
tcpdump -r capture.pcap -nn > capture.txt
tcpdump -r capture.pcap -nn -X > capture_hex.txt
# Extract specific packets
tcpdump -r capture.pcap 'port 443' -w https_only.pcap
# Merge pcap files (use mergecap from Wireshark)
mergecap -w combined.pcap file1.pcap file2.pcap
# Split large pcap (use editcap from Wireshark)
editcap -c 10000 large.pcap split.pcapWORKFLOW: tcpdump for capture → Wireshark for deep analysis
Quick Reference
| Task | Command |
|---|---|
Basic capture |
|
Save to file |
|
Read pcap |
|
Filter by host |
|
Filter by port |
|
Filter by protocol |
|
TCP SYN packets |
|
TCP RST packets |
|
DNS traffic |
|
RADIUS/802.1X |
|
Show content |
|
Verbose mode |
|