tcpdump Command Builder

tcpdump in depth: BPF filters, capture files, and lawful packet analysis

The tcpdump utility is the canonical packet analyzer of the Unix and BSD world. It opens a raw socket on a network interface, hands incoming frames to the in-kernel BPF (Berkeley Packet Filter) engine, and prints — or saves — only the packets that match an expression you supply. It ships on virtually every Linux distribution, macOS, FreeBSD, and is also present in network appliances. Engineers reach for it to troubleshoot connectivity, capture .pcap files for later analysis in Wireshark, perform digital forensics, measure latency, and verify firewall behaviour. This generator helps you assemble a syntactically valid command, but the responsibility for capturing on networks you are authorised to monitor always stays with you.

Command syntax and essential flags

The general form is tcpdump [options] [BPF filter]. The most useful options are:

• -i <interface> — pick the interface (eth0, wlan0, any, lo).
• -w file.pcap — save raw packets to a file (open later in Wireshark/tshark).
• -r file.pcap — read packets from an existing capture file.
• -n / -nn — skip DNS and port-name resolution (much faster, no extra DNS queries).
• -X / -XX — print hex and ASCII payloads (with link-layer headers in -XX).
• -v, -vv, -vvv — increasing verbosity.
• -c N — stop after capturing N packets.
• -s N — snaplen (bytes per packet). Default is 262144 on modern builds; use -s 0 on old versions to get full packets.
• -G N -W M — rotate the output file every N seconds, keeping at most M files.
• -Z user — drop privileges to user right after opening the socket.

BPF filter expressions

Filters live after the options. They are tiny programs JIT-compiled into kernel code, so even very large filters cost almost nothing per packet:

host 192.168.1.1            # source or destination
src host 10.0.0.5           # source only
dst host 8.8.8.8            # destination only
port 443                    # any side
tcp port 80                 # protocol + port
not port 22                 # exclude SSH
net 10.0.0.0/24             # subnet
icmp                        # protocol
tcp[tcpflags] & tcp-syn != 0  # SYN packets (handshake)
udp and port 53             # DNS over UDP
arp                         # ARP traffic
(tcp port 80 or tcp port 443) and host example.com

Combine with and, or, not and parentheses. Always quote complex filters to keep the shell from eating special characters.

Worked examples

# Live HTTPS traffic on eth0, no DNS resolution
sudo tcpdump -ni eth0 'tcp port 443'

# Save 1000 SSH packets for offline review
sudo tcpdump -i any -c 1000 -w ssh.pcap 'tcp port 22'

# Hourly rotation for 24 hours (24 files)
sudo tcpdump -i eth0 -G 3600 -W 24 -w 'cap-%Y%m%d-%H.pcap'

# Read a Wireshark pcap and grep for a host
tcpdump -nr capture.pcap 'host 10.0.0.5'

# Only TCP SYN packets (port-scan signature)
sudo tcpdump -ni eth0 'tcp[tcpflags] & tcp-syn != 0 and not src net 10.0.0.0/24'

tcpdump vs alternatives

Wireshark offers the best UX for offline analysis; tshark is its CLI counterpart and understands more dissectors than tcpdump. ngrep filters by payload text. tcpflow reassembles TCP streams. For pure bandwidth visualisation, look at iftop, nload or nethogs. tcpdump shines when you need a portable, scriptable, low-footprint capture tool that is already installed on the target machine.

Legal and ethical use

Capturing packets on networks you do not own or administer is illegal in many jurisdictions. In the United States the Computer Fraud and Abuse Act (CFAA) and the Wiretap Act apply; in Brazil, the Lei 12.737/2012 (Lei Carolina Dieckmann) and the LGPD constrain interception of communications without consent. Penetration tests must always have a written scope of work and explicit authorisation from the network owner. In classroom or lab environments, capture only inside an isolated network you fully control.

FAQ

Do I need root? Yes — tcpdump opens a raw socket, which requires CAP_NET_RAW. Use sudo, or set the capability on the binary: setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump.

Can I see HTTPS traffic? Only the metadata — source/destination, SNI hostname, and TLS handshake. Payloads are encrypted; you would need TLS keys (SSLKEYLOGFILE) and Wireshark to decrypt.

How do I rotate capture files? Combine -G <seconds> with -W <count> and a strftime pattern in the output name: -G 3600 -W 24 -w 'cap-%Y%m%d-%H.pcap' gives 24 one-hour files in a ring buffer.

Why do I miss packets at high speed? The kernel ring buffer overflows. Raise it with -B <KiB>, write to an SSD, drop verbose flags, or move to tcpdump -i any -w with --immediate-mode off and a tight BPF filter.

Is the .pcap format portable? Yes — the legacy libpcap format and the newer pcapng both open in Wireshark, tshark, Zeek, Suricata, and most network forensics tools.