Using tcpdump to capture network traffic on the command line

Looking at low level network traffic is often useful to diagnose application/system problems.

This is easy to do in modern browsers using devtools network capture widgets and extensions such as postman, but sometimes you need to diagnose traffic between servers in a live application, as opposed to being able to do the requests yourself from your browser. In these cases, tcpdump shines.

This article will cover how to use tcpdump to diagnose non-encrypted traffic. For encrypted traffic, ssldump can be used provided you have access to the private key used to encrypt the traffic.

To listen for traffic and write to stdout, the snippet is:

tcpdump -i any -s 65535 -n -A expression
  • -i The interface id to listen on ( run tcpdump -D to get a list of available interfaces, or just use the keyword “any” to listen in all network interfaces )
  • -n Don’t convert host addresses to names (avoid dns resolution, makes things faster)
  • -A Print packets in ASCII, excluding link level headers. Use -X for both hex and ASCII printout.
  • -s By default tcpdump only captures the first 68 bytes of each packet. This option allows you specify how much of each packet to capture. The maximum IP packet size is 65535.

See man pcap-filter for a full description of ‘expression’

Examples include:

tcpdump -i 11 -n -A -s 65535 port 80
tcpdump -i 11 -n -A -s 65535 dst host

Other useful flags:

  • -w write packets to a file which can later be replayed
  • -r read packets written with -w


tcpdump -i any -n -A -s 65535 -w network_traffic.capture
tcpdump -n -r network_traffic.capture -A port 80

The examples above will get you started, but for more detail, check the man pages:

Happy sniffing!

Using tcpdump to capture network traffic on the command line

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s