Advanced

5 MIN READ

Apr 13, 2026

What Is tcpdump? Reading Raw IP Packets in the Terminal

tcpdump captures and displays live network packets directly in your terminal. This guide covers filters, output formats, and real forensic use cases for network engineers.

Seeing Exactly What Crosses Your Network Interface

Most network troubleshooting tools give you statistics — bytes transferred, connection counts, error rates. tcpdump gives you something more fundamental: the actual packets themselves, in real time, as they cross your network interface. Every TCP handshake, every DNS query, every HTTP request — all visible as raw data in your terminal.

tcpdump has been part of Unix-like systems since 1988. It uses the Berkeley Packet Filter (BPF) framework to capture packets at the kernel level before they reach user-space applications, which is why it can see traffic that other tools miss. On Linux, it uses libpcap. On BSD and macOS, it reads directly from the BPF device. The capture happens at the network interface level, which means you see exactly what is entering and leaving the machine.

This is the tool network engineers reach for when a customer says \"the connection drops randomly\" and no application-level log shows anything. When a security team says \"we think there's unexpected outbound traffic.\" When you need to know with certainty what is actually happening on the wire.

How tcpdump Works: BPF and Kernel-Level Capture

When you run tcpdump, it opens a raw socket on the specified network interface and attaches a BPF filter program to it. The BPF filter runs inside the kernel — packets that don't match the filter are discarded before they ever reach user space. This means tcpdump can operate at very high speeds without saturating the CPU with packet-parsing work in user space.

The flow is:

A packet arrives at or departs from the network interface
The kernel passes the packet through the attached BPF filter program
If the filter matches, a copy of the packet is placed in a ring buffer
tcpdump reads from the ring buffer and formats the output
Optionally, packets are written to a PCAP file for offline analysis

This architecture allows tcpdump to capture at wire speed even on high-throughput interfaces, and to do so with minimal impact on the system handling the actual traffic.

Basic Usage and Essential Flags

Running tcpdump without arguments captures all traffic on the default interface and prints it to stdout. In practice you almost always want filters. Core flags:

-i eth0 — specify the network interface. Use -i any to capture on all interfaces.
-n — do not resolve IP addresses to hostnames. This is critical for performance during high-traffic captures; DNS lookups for each packet slow output dramatically.
-v / -vv / -vvv — increase verbosity. More detail about TTL, IP flags, checksums.
-c 100 — capture exactly 100 packets then exit.
-w capture.pcap — write packets to a PCAP file instead of printing to screen. Open this file later in Wireshark or read it back with tcpdump using -r capture.pcap.
-s 0 — capture the full packet. By default, older versions of tcpdump truncate to 68 bytes. Setting snap length to 0 captures the complete packet.
-A — print packet payload as ASCII text. Useful for reading unencrypted HTTP or SMTP traffic.
-X — print payload as both hex and ASCII.

Writing Effective BPF Filters

Filters are where tcpdump's power becomes apparent. BPF filter syntax lets you compose complex expressions using host, port, protocol, and logical operators:

tcpdump host 203.0.113.5 — capture all traffic to or from a specific IP
tcpdump src 203.0.113.5 — capture only traffic originating from that IP
tcpdump dst 203.0.113.5 — capture only traffic destined for that IP
tcpdump port 443 — capture all HTTPS traffic
tcpdump tcp port 22 — capture SSH traffic specifically
tcpdump not port 22 — capture everything except SSH (useful to filter out your own remote session)
tcpdump 'src 10.0.0.5 and dst port 80' — compound filter: traffic from a specific source to HTTP
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0' — capture only TCP SYN packets (new connection attempts)
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0' — capture TCP RST packets (connection resets)
icmp — capture only ICMP traffic (pings and unreachable messages)

Quoting complex filters with single quotes prevents the shell from interpreting special characters.

Reading tcpdump Output

A typical tcpdump line looks like:

14:23:01.542108 IP 192.168.1.42.54321 > 93.184.216.34.80: Flags [S], seq 1234567890, win 64240, length 0

Breaking this down:

14:23:01.542108 — timestamp with microsecond precision
IP — this is an IPv4 packet
192.168.1.42.54321 — source IP and source port
93.184.216.34.80 — destination IP and destination port
Flags [S] — TCP flags. S = SYN, A = ACK, F = FIN, R = RST, P = PSH. A normal TCP handshake shows [S], [S.] (SYN-ACK), [.] (ACK).
seq 1234567890 — TCP sequence number
win 64240 — TCP receive window size
length 0 — payload length in bytes

tcpdump vs Wireshark: Choosing the Right Tool

Aspect	tcpdump	Wireshark
Interface	Terminal / command line	Graphical (also has tshark CLI version)
Remote capture	Excellent — SSH directly to server	Requires piping or remote capture setup
Protocol dissection	Basic — shows headers, minimal decode	Deep — full protocol decode for hundreds of protocols
Filter syntax	BPF (at capture time)	BPF at capture + display filters post-capture
PCAP output	Yes — standard format	Yes — compatible with tcpdump files
Resource usage	Minimal	High (GUI + deep dissection)
Best for	Server-side live capture, scripting, automation	Offline analysis, protocol debugging, visualization
Installation	Available on nearly all Unix/Linux systems by default	Requires separate install, not on servers by default

Real-World Use Cases

Diagnosing a dropped connection: Run tcpdump -n host <remote-ip> -w session.pcap while reproducing the problem. Open the PCAP in Wireshark afterward and look for RST packets, retransmission storms, or asymmetric routing (packets leaving but no replies arriving).

Finding unexpected outbound traffic: Run tcpdump -n 'not port 22 and not port 80 and not port 443' to see traffic on unusual ports. Any unexpected destination IPs or ports are worth investigating.

Verifying firewall rules: After adding a firewall rule to block a specific IP, run tcpdump to confirm packets from that IP are no longer reaching the server. If they still appear in tcpdump output, the firewall rule is not working as expected.

DNS debugging: Run tcpdump -n udp port 53 to see all DNS queries and responses. You can verify which DNS server queries are going to, what names are being resolved, and whether responses are returning correctly.

TLS handshake verification: Run tcpdump -n 'tcp port 443 and (tcp[tcpflags] & (tcp-syn) != 0)' to see new HTTPS connection attempts without capturing payload data.

Common Misconceptions

Misconception 1: tcpdump requires root everywhere

tcpdump requires the capability to open raw sockets. On Linux, this is CAP_NET_RAW. While traditionally this meant running as root, modern systems can grant this capability specifically: setcap cap_net_raw+eip /usr/bin/tcpdump. On some distributions, adding a user to the pcap group is sufficient. You do not always need full root access.

Misconception 2: tcpdump can see encrypted traffic content

tcpdump captures the raw packets. For TLS/HTTPS traffic, you see the encrypted payload — not the plaintext. You can see that a connection was made, the IP addresses and ports involved, certificate negotiation details, and packet sizes. But the actual HTTP request and response content inside TLS is not readable. To inspect TLS content you need the session keys, which requires application-level cooperation.

Misconception 3: Running tcpdump impacts traffic

tcpdump captures copies of packets; it does not affect the packets themselves. Traffic flows normally. The only impact is CPU and disk I/O from the capture process itself. On very high-throughput links (10 Gbps+), a naive tcpdump capture can drop packets if the ring buffer fills faster than it can be read. For high-speed captures, specialized tools like PF_RING or DPDK-based capture are used.

Misconception 4: tcpdump and Wireshark capture differently

Both use libpcap (or WinPcap/npcap on Windows) as the capture library. They produce the same PCAP format files. The difference is entirely in how they display and analyze the captured data — Wireshark has a rich GUI and deep protocol dissectors; tcpdump prints formatted text to the terminal. A PCAP file captured with tcpdump opens perfectly in Wireshark and vice versa.

Pro Tips for Effective Packet Capture

Always use -n in production captures. DNS resolution per packet can create additional network traffic and dramatically slow output. Resolve IPs after the fact if needed.
Write to file with -w when capturing for analysis. Live terminal output is hard to read and you will miss packets. Capture to a PCAP and analyze it offline in Wireshark or with tcpdump -r.
Rotate capture files with -C and -W. The flags -C 100 -W 10 create a rotating set of 10 files, each 100MB maximum. This prevents a single capture session from filling your disk.
Filter out your own SSH session. When capturing remotely over SSH, add not port 22 to your filter to avoid an endless loop of SSH traffic capturing itself being printed, which then generates more SSH traffic.
Use timestamps carefully. The default timestamp is local time. Use -tttt for human-readable timestamps with date, or -ttt for inter-packet timing (useful for latency analysis).
Combine tcpdump with grep for quick field extraction. Pipe output: tcpdump -n -l | grep -E 'SYN|RST' gives a live feed of connection events. The -l flag enables line-buffered output for pipe compatibility.

Check what traffic your IP is currently generating and receiving.

Frequently Asked Questions

Q.What is tcpdump used for?

tcpdump is a command-line packet analyzer used to capture and display network traffic in real time. It shows the raw IP packets crossing a network interface — including headers, flags, source and destination addresses, and payload data. Network engineers use it for troubleshooting connectivity issues, verifying firewall rules, investigating unexpected traffic, and capturing data for offline analysis in Wireshark.

Q.Do I need root access to run tcpdump?

tcpdump needs the capability to open raw sockets, which traditionally requires root. On Linux you can grant the specific capability with setcap rather than full root: setcap cap_net_raw+eip /usr/bin/tcpdump. Some distributions also allow packet capture for members of the pcap group without full root access.

Q.What is the difference between tcpdump and Wireshark?

Both use libpcap and produce the same PCAP file format — they are compatible. tcpdump is a terminal tool, making it ideal for capturing on remote servers over SSH with minimal resources. Wireshark is a graphical tool with deep protocol dissection, color coding, and powerful display filters for offline analysis. The typical workflow is capture with tcpdump and analyze with Wireshark.

Q.Can tcpdump see encrypted HTTPS traffic?

tcpdump captures the raw packets including the encrypted TLS payload, but cannot decrypt it. You can see that a connection was made, the IP addresses and ports, and the size of packets. The actual HTTP content inside the TLS session is not readable without the session keys. tcpdump shows the envelope, not the message contents.

Q.How do I save tcpdump output to a file?

Use the -w flag followed by a filename: tcpdump -w capture.pcap. This writes packets in binary PCAP format rather than printing to screen. Read the file back later with tcpdump -r capture.pcap or open it directly in Wireshark. For long captures, use -C 100 -W 10 to create rotating 100MB files.

Q.How do I filter tcpdump to a specific IP address?

Use the host filter: tcpdump host 192.168.1.1 captures all traffic to or from that IP. To filter by direction, use src (source) or dst (destination): tcpdump src 192.168.1.1 captures only traffic originating from that IP. Combine with logical operators: tcpdump 'src 192.168.1.1 and dst port 443' captures HTTPS traffic from that specific host.

Q.What do the TCP flags in tcpdump output mean?

TCP flags appear in brackets in tcpdump output. S = SYN (connection initiation), A = ACK (acknowledgment), F = FIN (graceful close), R = RST (abrupt reset), P = PSH (push data immediately). A normal three-way handshake shows [S], then [S.] (SYN-ACK), then [.] (ACK). Seeing [R] or [R.] indicates a connection was refused or forcibly closed.

Q.Does running tcpdump affect network performance?

tcpdump captures copies of packets and does not interfere with the packets themselves. The main overhead is CPU and disk I/O from the capture process. On standard production servers handling typical workloads, the impact is negligible. On very high throughput links (10 Gbps and above), a full capture without hardware assistance can drop packets when the ring buffer fills faster than it can be read.

Q.How do I capture traffic on all interfaces with tcpdump?

Use -i any: tcpdump -i any captures traffic on all network interfaces simultaneously. This is useful when you don't know which interface traffic is arriving on. Note that on some systems, using -i any prevents some lower-level details from being captured correctly.

Q.How do I stop tcpdump from resolving hostnames?

Use the -n flag: tcpdump -n. This prevents tcpdump from performing reverse DNS lookups on IP addresses. Always use this on production captures — without it, tcpdump makes DNS queries for every captured IP, creating additional traffic, slowing output significantly, and potentially interfering with the traffic you are trying to analyze.

Q.What is BPF in the context of tcpdump?

BPF stands for Berkeley Packet Filter. It is a kernel-level virtual machine that evaluates filter expressions against packets before they reach user space. When you write a tcpdump filter like 'host 10.0.0.1', tcpdump compiles it into BPF bytecode and installs it in the kernel. Only packets matching the filter are passed to tcpdump, which is why filtering is efficient even at high packet rates.

Q.Can tcpdump capture traffic on a remote server?

Yes, via SSH. Connect to the remote server and run tcpdump there. To analyze in Wireshark in real time, pipe the output over SSH: ssh user@server tcpdump -U -n -w - 'not port 22' | wireshark -k -i -. This streams the PCAP data over the SSH connection to your local Wireshark instance.

TOPICS & TAGS

tcpdumppacket analyzercommand line networkinglinux forensicsip headerwhat is tcpdump reading raw ip packets guide 2026watching matrix code internet data in the terminalcommand line packet analyzer tool for linux networkingintercepting raw data flowing in and out of your interfacefiltering the noise with src and dst ip address commandsreal time network forensic transcripts for it professionalsunmasking headers ports and payload sizes for debuggingit guide to packet capture and low level internet analysisbeyond guis for high precision network troubleshootingtechnical tutorial for advanced tcpdump filtering logicimpact of packet analysis on identifying network attackssecuring your server by monitoring observable traffic flowsessential toolkit for sysadmins and network engineers 2026professional tips for reading and saving pcap data filesfuture of high speed 100g packet capture and analysistcpdump filterstcpdump pcap capturetcpdump vs wiresharktcpdump bpf filternetwork packet capture linuxtcpdump tutorialtcpdump flags