Go back

tcpdump Basics: Capture Traffic Without Wireshark

By SumGuy 5 min read
tcpdump Basics: Capture Traffic Without Wireshark

Why tcpdump Beats Wireshark for Servers

On your laptop, Wireshark’s GUI is pretty. On a server with no X11 and 1GB of RAM, it’s torture.

tcpdump does one job: capture packets and print them. No GUI. No memory bloat. Runs on ancient hardware. Perfect for production debugging.

Install tcpdump

Terminal window
# Debian/Ubuntu:
sudo apt install tcpdump


# RHEL/CentOS:
sudo yum install tcpdump


# Verify:
tcpdump --version

Capture Everything (Then Regret It)

Terminal window
# Capture all packets on all interfaces:
sudo tcpdump


# You get flooded immediately. Ctrl+C to stop.

You’ll see output like:

12:45:23.456789 IP 192.168.1.100.53214 > 8.8.8.8.443: Flags [S], seq 0
12:45:23.456821 IP 192.168.1.1.53 > 192.168.1.100.53214: 12345+ (32)
12:45:23.500912 IP 8.8.8.8.443 > 192.168.1.100.53214: Flags [S.], seq 8765

This is raw and useless without filtering. Let’s actually use it.

Filter by Interface

Terminal window
# Capture on a specific interface only:
sudo tcpdump -i eth0


# Or WiFi:
sudo tcpdump -i wlan0


# List available interfaces:
tcpdump -D

Filter by Host

Terminal window
# Everything to/from a specific IP:
sudo tcpdump host 8.8.8.8


# Only traffic from one direction (src):
sudo tcpdump src 192.168.1.100


# Only incoming (dst):
sudo tcpdump dst 192.168.1.100

Filter by Port

Terminal window
# Capture HTTP traffic:
sudo tcpdump port 80


# Or HTTPS:
sudo tcpdump port 443


# Or specific service:
sudo tcpdump port ssh    # port 22
sudo tcpdump port domain # port 53 (DNS)


# Multiple ports:
sudo tcpdump port 80 or port 443

Filter by Protocol

Terminal window
# Capture only TCP:
sudo tcpdump tcp


# Or UDP:
sudo tcpdump udp


# Or ICMP (ping):
sudo tcpdump icmp


# Combine: TCP on port 22
sudo tcpdump tcp port ssh

Real-World Examples

Debug DNS issues:

Terminal window
sudo tcpdump -i eth0 port 53


# Shows DNS queries and responses:
12:45:23.123456 IP 192.168.1.100.54321 > 8.8.8.8.53:
  12345+ A? example.com. (29)
12:45:23.124567 IP 8.8.8.8.53 > 192.168.1.100.54321:
  12345 1/0/0 A 93.184.216.34 (45)

Capture a single HTTP request:

Terminal window
# Terminal 1: Start capture on HTTP
sudo tcpdump -i eth0 port 80 -w http.pcap


# Terminal 2: Make a request
curl http://example.com/


# Terminal 1: Stop tcpdump (Ctrl+C)

Watch for connection resets:

Terminal window
# RST flag means connection was killed:
sudo tcpdump 'tcp[tcpflags] & tcp-rst != 0'


# Show packets with RST flag set

Make Output Readable

Raw tcpdump is cryptic. Use flags for clarity:

Terminal window
# ASCII output (show readable text):
sudo tcpdump -i eth0 -A port 80


# Output includes both hex and ASCII:
sudo tcpdump -i eth0 -X port 80


# Simpler format:
sudo tcpdump -i eth0 -n port 80

The -A flag shows packet contents as ASCII:

12:45:23.123456 IP 192.168.1.100.12345 > 93.184.216.34.80: Flags [P.]
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0
Accept: */*

Now you can see the actual HTTP request.

Save to File (Then Analyze Later)

Terminal window
# Capture to a .pcap file:
sudo tcpdump -i eth0 port 80 -w http.pcap


# Analyze it later:
tcpdump -r http.pcap -A


# Filter it later:
tcpdump -r http.pcap 'host 8.8.8.8'


# Open in Wireshark on your laptop:
# (Copy the .pcap file to your machine)
wireshark http.pcap

This workflow is perfect: capture raw on the server (minimal overhead), analyze on your laptop.

Count Packets to a Host

Terminal window
# How many packets to/from this IP?
sudo tcpdump host 192.168.1.100 -c 100


# The -c flag stops after 100 packets

Complex Filters

Terminal window
# Traffic between two hosts:
sudo tcpdump 'host 192.168.1.100 and host 8.8.8.8'


# HTTP traffic but not from localhost:
sudo tcpdump 'port 80 and not host 127.0.0.1'


# All TCP except SSH:
sudo tcpdump 'tcp and not port 22'


# Traffic to a network:
sudo tcpdump net 10.0.0.0/24

Practical Server Debugging

Terminal window
# Is the server getting requests to port 3000?
sudo tcpdump -i eth0 port 3000 -n


# Capture 50 packets of traffic to your database:
sudo tcpdump host 10.0.0.50 -c 50 -w db.pcap


# See what your server's sending to the internet:
sudo tcpdump src 192.168.1.100 and dst not 192.168.1.0/24


# Monitor for suspicious traffic:
sudo tcpdump 'tcp[13] & 4 != 0'  # RST flag
sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0'  # SYN flag (new connections)

Common Flags Reference

Terminal window
-i eth0           # Interface
-n                # Don't resolve hostnames (faster)
-A                # Show ASCII
-X                # Show hex and ASCII
-w file.pcap      # Write to file
-r file.pcap      # Read from file
-c 100            # Capture 100 packets then stop
-q                # Quiet (less verbose)
-v, -vv, -vvv     # More verbose

Performance Tip

tcpdump can drop packets if your network is busy and the filter is complex. For high-traffic servers:

Terminal window
# Run in background, save to file:
sudo tcpdump -i eth0 port 80 -w capture.pcap &


# Analyze later when traffic is lower

tcpdump isn’t flashy but it works everywhere. Master it and you’ll debug network problems faster than anyone with a GUI.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email

Send a Webmention

Written about this post on your own site? Send a webmention and it may appear here.

Previous Post
LangGraph vs CrewAI vs AutoGen: AI Agent Frameworks for Mere Mortals
Next Post
AppArmor vs SELinux: Mandatory Access Control Without the Existential Dread

Related Posts