Skip to main content

One post tagged with "tcpdump"

View All Tags

Tcpdump: The Basics

Shubham
Cybersecurity Enthusiast

What is Tcpdump

okay let me go through it straightforward

tcpdump is a command-line packet analyzer. it captures packets directly from a network interface or reads them from a saved pcap file, then prints packet details.

lame language definition:
tcpdump is like a tiny network spy that listens to all traffic on an interface

formal definition:
tcpdump is a libpcap-based command-line tool that intercepts, filters, and displays packets for diagnostics, forensics, and network monitoring purposes.


Why Tcpdump Matters

  • runs on servers without GUI
  • extremely lightweight, ideal for quick captures
  • can save captures to .pcap and analyze later in Wireshark
  • useful for debugging network connectivity
  • helps detect suspicious/malicious traffic
  • allows automated/scripted packet captures

lame language definition:
when something weird happens on your network, tcpdump shows what’s actually flowing over the wire

formal definition:
tcpdump provides packet-level visibility for troubleshooting, auditing, and security monitoring by capturing and filtering traffic directly from network interfaces.


Basic Usage & Important Options

common options you’ll use:

  • **-i <interface>** → choose interface (eth0, wlan0, lo, any)
  • **-n / -nn** → show numeric IPs/ports (no DNS or service-name resolution)
  • **-c <count>** → stop after N packets
  • **-w <file>** → write packets to a pcap for later analysis
  • **-r <file>** → read a saved pcap file

general syntax:
tcpdump [options] [filter expression]


Filtering Packets

tcpdump filters are extremely powerful and help cut noise.

examples:

  • capture only ICMP
    icmp

  • capture HTTP port 80
    port 80

  • capture packets from a specific IP
    src 192.168.1.10

  • capture packets to a specific IP
    dst 10.0.0.5

  • combine filters
    tcp and port 443 and src 10.10.10.50

filters let you focus on exactly what matters.


Reading vs Capturing

tcpdump can:

  • capture live packets
  • save packets to a file
  • read files created earlier
  • monitor remote servers via SSH
  • create captures you later open in Wireshark

this makes it versatile for both live debugging and offline analysis.


What Tcpdump Output Usually Looks Like

each printed line typically includes:

  • timestamp
  • protocol (IP, TCP, UDP, ICMP)
  • src_ip:src_port → dst_ip:dst_port
  • tcp flags (if applicable)
  • packet length or other metadata

this gives quick insight into what traffic is flowing without needing a full GUI analyzer.


When to Use Tcpdump vs Wireshark

use tcpdump when you need:

  • fast text-based packet capture
  • minimal system footprint
  • SSH-based remote analysis
  • automated or scripted packet recording
  • only basic header/payload visibility

use wireshark when you need UI-level detail, protocol trees, reassembly, or file extraction.


Security Use Cases

  • capture suspicious outbound connections
  • inspect DNS or ARP traffic during enumeration
  • detect plaintext credentials in unencrypted protocols
  • gather evidence during incident response
  • perform reconnaissance on unknown networks
  • analyze malware communications on isolated machines

tcpdump is extremely useful in cybersecurity because it provides raw, unfiltered network truth.


Conclusion

tcpdump is simple, powerful, and essential.
it lets you capture, filter, analyze, and save network packets — even on systems with no graphical environment.

if you understand tcpdump basics, filters, interface selection, and capture options,
you already have one of the strongest command-line packet analysis tools in your toolkit.

`