Drill: Capture and Filter Traffic with tcpdump

Goal

Use tcpdump to capture network traffic and apply filters by host, port, and protocol for targeted debugging.

Setup

• Linux system with tcpdump installed (apt install tcpdump or yum install tcpdump)
• Root access or CAP_NET_RAW capability

Commands

Capture all traffic on an interface:

tcpdump -i eth0 -c 20

Filter by host:

tcpdump -i any host 10.0.0.5

Filter by port:

tcpdump -i any port 443

Filter by protocol:

tcpdump -i any icmp
tcpdump -i any tcp
tcpdump -i any udp port 53

Combine filters with boolean logic:

tcpdump -i any 'host 10.0.0.5 and port 80'
tcpdump -i any 'src host 10.0.0.5 or dst host 10.0.0.6'
tcpdump -i any 'port 80 and not host 10.0.0.1'

Save capture to a file for later analysis:

tcpdump -i eth0 -w /tmp/capture.pcap -c 1000 port 443

Show packet contents in ASCII:

tcpdump -i any -A port 80 -c 10

Show packet contents in hex and ASCII:

tcpdump -i any -X port 80 -c 10

Disable name resolution for faster output:

tcpdump -nn -i any port 8080

What to Look For

• TCP flags: S (SYN), S. (SYN-ACK), . (ACK), F (FIN), R (RST)
• One-sided SYN without SYN-ACK suggests firewall blocking or host down
• RST packets indicate refused connections
• DNS queries and responses on port 53 reveal resolution behavior

Common Mistakes

• Forgetting -nn and waiting for slow DNS reverse lookups on every packet
• Not using -c to limit capture count, filling disk with pcap data
• Capturing on eth0 when traffic flows through lo or a bridge interface
• Not quoting complex filter expressions, causing shell interpretation errors

Cleanup

rm -f /tmp/capture.pcap