TCPdump

Things to keep in mind

Only unencrypted HTTP: Modern web traffic mostly uses HTTPS (port 443), so tcpdump http will see very little on many networks. To watch encrypted traffic you’d need to filter on port 443 (tcpdump port 443) but you won’t be able to read the payload without TLS termination.
Performance impact: Capturing on a busy interface can generate a lot of data and consume CPU/memory. Using -c (packet count limit) or a short capture window helps mitigate this.
Legal/ethical considerations: Sniffing traffic that isn’t yours can violate privacy laws or corporate policies. Always have permission to capture on a given network.
Packet truncation: By default tcpdump captures only the first 96 bytes of each packet. Use -s 0 (or a larger snaplen) if you need the full payload.
Root privileges: f you don’t want to run as root, you can grant the binary the CAP_NET_RAW capability (sudo setcap cap_net_raw,cap_net_admin=eip $(which tcpdump)), but this still requires administrative control over the system.

Quick‑Reference Cheat Sheet for tcpdump

Command

What it Does

Handy Tips

Basic capture sudo tcpdump Starts sniffing on the default interface, printing a one‑line summary of each packet. Add -i <iface> to choose a specific NIC (e.g., -i eth0). Limit packet count sudo tcpdump -c 20 Stops after 20 matching packets. Great for quick checks; prevents runaway captures. Save to file sudo tcpdump -w capture.pcap Writes raw packets to capture.pcap (binary pcap format). Open later with Wireshark or tcpdump -r. Read from file sudo tcpdump -r capture.pcap Prints a summary of packets stored in a pcap file. Combine with -X/-A for payload view. Full‑packet snaplen sudo tcpdump -s 0 Captures the entire packet (no truncation). Use when you need the full payload (e.g., HTTP headers). ASCII payload sudo tcpdump -A Shows packet data as printable ASCII characters. Pair with -s 0 for complete text. Hex + ASCII sudo tcpdump -X Hex dump plus ASCII on the same line. Helpful for binary protocols. Verbose output -v, -vv, -vvv Increases detail level (e.g., TTL, window size, options). -vvv can expose IP options and TCP flags. Filter by protocol tcpdump icmp, tcpdump udp, tcpdump tcp Shows only the specified protocol. Combine with other filters (and, or). Port filtering tcpdump port 22, tcpdump port 443 Captures traffic where either source or destination port is 22 (SSH), 443 (https). Use src port or dst port for direction‑specific captures. Host filtering tcpdump host 192.168.1.10 All packets to or from that IP address. src host / dst host for one‑way traffic. Network filtering tcpdump net 10.0.0.0/8 Any packet whose IP belongs to that subnet. Useful for monitoring a whole LAN segment. Expression combos tcpdump src host 10.0.0.5 and dst port 80 Traffic from 10.0.0.5 to port 80. Parentheses group complex logic: (src net 10.0.0.0/24) and (dst port 53 or dst port 5353). Capture HTTP (unencrypted) and HTTPS (Encrypted) sudo tcpdump -A -s 0 -c 10 port 80 or port 443 Shows first ten HTTP or HTTPS packets with readable payload. Remember most modern traffic is HTTPS (port 443). Capture DNS sudo tcpdump -n -vvv -s 0 port 53 Shows DNS (port 53) queries/responses in detail. -n avoids DNS lookups on captured IPs (keeps output fast). Capture only SYN packets tcpdump 'tcp[tcpflags] & tcp-syn != 0' Lists connection attempts (handshake starts). Useful for spotting scans. Exclude traffic tcpdump not port 22 Captures everything except SSH. Combine with other filters (and, or). Timestamp formats -tttt (human‑readable)-t (default, relative)-tt (epoch) Controls how timestamps appear. -tttt is great for logs. Interface list tcpdump -D Prints all interfaces tcpdump can listen on. Choose the right one with -i. Promiscuous mode toggle -p Disables promiscuous mode (captures only traffic destined for the host). Useful on switched networks where you only need local traffic. Colorized output (if compiled with libpcap ≥ 1.9) --color Highlights protocol fields. Makes reading easier, especially on long runs.

Example Workflows

Capture the first 20 HTTP requests and save them for later analysis

sudo tcpdump -i eth0 -c 20 -w http_first20.pcap 'tcp port 80'

Live‑view DNS queries in a readable form

sudo tcpdump -n -vvv -s 0 -A 'udp port 53'

Spot a possible port‑scan on your server

sudo tcpdump -i eth0 -nn -e 'tcp[tcpflags] & (tcp-syn|tcp-ack) = tcp-syn' and not src host <your‑server‑IP>

Shows SYN packets from hosts other than yourself.

Debug an HTTPS handshake (you won’t see the encrypted payload, but you can see the TLS record types)

sudo tcpdump -i eth0 -nn -vv -s 0 'tcp port 443'

Quick “What‑If” Thoughts (Balanced Discourse)

Should I always capture full packets (-s 0)?

Pros: Guarantees you have the entire payload for later deep‑dive.

Cons: Larger files, higher CPU/memory load—might overwhelm a busy interface.

Tip: Start with a modest snaplen (e.g., -s 256) to confirm you’re seeing the right traffic, then increase if needed.
Is saving to a pcap file safer than printing to screen?

Pros: Persistent, can be shared with colleagues, analyzed with richer tools (Wireshark).

Cons: Stores potentially sensitive data; ensure proper handling and deletion when done.
Do I really need sudo?

Most systems require root to place an interface in promiscuous mode.

Alternative: Grant the binary the CAP_NET_RAW capability (setcap cap_net_raw,cap_net_admin=eip $(which tcpdump)) so you can run it as a regular user—still a privileged operation, so use responsibly.

Getting Started in One Line

If you just want a quick glance at what’s happening on your primary NIC:

sudo tcpdump -i $(ip route get 8.8.8.8 | awk '{print $5; exit}') -nn -c 10

Explanation:

Detects the default outbound interface automatically.
-nn disables name resolution (faster, cleaner).
Stops after 10 packets.

TL;DR

Start simple: sudo tcpdump -i eth0.
Add filters (host, port, proto) to narrow focus.
Use -w for offline analysis, -A/-X for live payload inspection.
Mind privacy & legality: Only sniff traffic you own or have explicit permission to monitor.