Introduction to Tcpdump packets

Using Tcpdump to analyze network traffic

4 min readDec 16, 2020


Photo by Philipp Katzenberger on Unsplash

Tcpdump is a command-line packet analysis tool. Much like Wireshark, you can use Tcpdump to capture and analyze packets, troubleshoot connection issues, and look for potential security issues on a network. Tcpdump is a portable command-line utility that can be used even when a GUI is not available, and when Wireshark is not installed.

Today, let’s take a look at how to use Tcpdump to analyze packets! Open up your terminal and follow along.

First, before we go on, remember that Tcpdump needs the ability to capture raw data packets and manipulate network interfaces to be able to operate. This means that you need to run Tcpdump as a superuser. So all of the commands that I will introduce today should be used with “Sudo”.

First, you can use the “-D” flag to list the interfaces available for capture.

$ sudo tcpdump -D1.en0 [Up, Running]
2.bridge0 [Up, Running]
3.p2p0 [Up, Running]
4.awdl0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.en2 [Up, Running]
8.lo0 [Up, Running, Loopback]
9.vboxnet0 [Running]

Let’s start capturing some packets. You can use the “-i” flag to specify the interface that you want to capture. Specifying “any” as the interface will capture from all active interfaces. You can also configure Tcpdump to capture a particular interface.

$ sudo tcpdump -i any
$ sudo tcpdump -i eth1

Now, you should start seeing packet details in your terminal! Tcpdump will continue to capture packets until you interrupt it by pressing “Ctrl+C”. You can also use the “-v” flag to adjust the level of verbosity in Tcpdump’s output.

$ sudo tcpdump -i any -v (Verbose output)
$ sudo tcpdump -i any -vv (Even more verbose output)
$ sudo tcpdump -i any -vvv (The most verbose output)

Protocol filters

Tcpdump has a variety of filters that allow you to capture only packets that fit your criteria. First, you can filter capture traffic based on protocol. For example, this command will listen to all TCP connections.

$ sudo tcpdump tcp

Port filters

If you are only interested in traffic for a specific port, you can use the “port” filter to target your analysis.

$ sudo tcpdump port 80

This command will capture all traffic going through port 80. If you are more specific and want to capture traffic that has port 80 as their source or destination port, you can use the following commands.

$ sudo tcpdump src port 80 (Source port is 80)
$ sudo tcpdump dest port 80 (Destination port is 80)

Host filters

On the other hand, if you are only interested in traffic for a specific host, you can use the “host” filter. The “host” filter can also be combined with an “src” or “dest” filter.

$ sudo tcpdump host
$ sudo tcpdump src host (Source host is
$ sudo tcpdump dest host (Destination host is

Combining filters

Finally, you can even combine multiple filters in Tcpdump! You can combine filters by using boolean statements such as “and”, or “or”.

$ sudo tcpdump “src port 80” and “dst host”
$ sudo tcpdump “src port 80” or “src port 443”

Saving the output

You can save the captured packets into a file rather than printing them out by using the “-w” flag.

$ sudo tcpdump tcp -w PATH_TO_FILE

If you want Tcpdump both to save and print the packets, you can use the “ — print” flag in conjunction with the “-w” flag.

$ sudo tcpdump tcp -w PATH_TO_FILE --print

This saved file can later be read using the “-r” flag.

$ sudo tcpdump -r PATH_TO_FILE

Decoding the output

The output of Tcpdump is format dependant. A typical output line for TCP looks like this.

17:42:53.490718 IP > Flags [.], ack 1, win 67, length 0

The first field, “17:42:53.490718” is the timestamp of the captured packet. Next, “IP” represents the network layer protocol, which in this case was IPv4.

The next field is the source IP and port. “” means that the source IP was “” and the source port was 443. Similarly, “” represents the destination IP and port.

“Flags [.]” represents the TCP flags. In this case, the TCP ACK flag was set. This is followed by the ACK number, “ack 1”. And the next field is the window size “win 67”, and finally, the packet length “length 0”.

There are more fields in the output for different protocol types, please check Tcpdump’s documentation for more information.

Reading packet contents

Finally, how do you read the contents of the captured packets? In Tcpdump, you can print out the packet contents by using the “-A” flag. For example, let’s say that we are trying to capture packets of some HTTP traffic.

$ sudo tcpdump port 80 -A

You can run this command then access a page using HTTP. You will see the packet contents printed out in plain text.

Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=71mapjkikro59donut84n0cfms0


Tcpdump is a powerful packet analysis tool. Today, we looked at the basic usages of Tcpdump. For more information about the tool, and more functionalities to explore, visit Tcpdump’s manual page here: