Tcpdump¶
21 cards — 🟢 5 easy | 🟡 7 medium | 🔴 3 hard
🟢 Easy (5)¶
1. What does tcpdump -i eth0 do?
Show answer
Captures packets on the eth0 interface only. Use -i any to capture on all interfaces.Remember: "tcpdump -i = interface, -n = numeric, -w = write, -r = read." The essential four flags.
Example: tcpdump -ni eth0 -w capture.pcap -c 100 captures 100 packets on eth0 to a file.
2. What does the -nn flag do in tcpdump?
Show answer
Disables both hostname and port name resolution so output shows raw IP addresses and port numbers. Faster and clearer for debugging.Remember: "Two n's = no names at all." -n disables host resolution, -nn disables both host and port name resolution.
Gotcha: Without -nn, tcpdump does reverse DNS lookups for every packet — very slow on busy networks.
3. How do you save a tcpdump capture for later analysis?
Show answer
Use -w file.pcap to write packets to a pcap file. Read it back with tcpdump -r file.pcap or open it in Wireshark.Remember: "pcap = packet capture format." Wireshark, tcpdump, and tshark all use pcap. -w writes it, -r reads it.
Example: Capture on server, analyze on laptop: tcpdump -w cap.pcap on server, then scp + wireshark on laptop.
4. How do you capture only DNS traffic with tcpdump?
Show answer
tcpdump -ni any port 53. DNS uses port 53 for both UDP queries and TCP fallback.Remember: "Port 53 = DNS." UDP for queries, TCP for zone transfers and large responses.
Fun fact: DNS was one of the first internet protocols (RFC 1035, 1987).
5. How do you limit tcpdump to capture only N packets?
Show answer
Use -c N. For example, tcpdump -c 10 -ni any port 80 captures exactly 10 packets matching the filter, then exits.Remember: "Retransmissions = packet loss." If you see the same sequence number repeated, packets aren't getting through.
🟡 Medium (7)¶
1. How do you filter tcpdump for traffic to a specific host AND port?
Show answer
Use a compound filter: tcpdump -ni eth0 'host 1.2.3.4 and port 80'. Filters support and, or, not, and parentheses for grouping.Remember: "tcpdump filter syntax = BPF (Berkeley Packet Filter)." Operators: and, or, not. Wrap complex filters in quotes.
2. How do you capture only traffic originating from a specific IP?
Show answer
Use src: tcpdump -ni eth0 src host 10.0.0.5. Similarly, dst host filters on destination only.Remember: "src = source, dst = destination." Both can filter by host or port.
Example: tcpdump -ni eth0 'src port 80' captures only responses FROM port 80 (web server replies).
3. What TCP flags should you look for in tcpdump output to confirm a successful connection?
Show answer
SYN (client initiates), SYN-ACK (server responds), ACK (client confirms). This three-way handshake completes the TCP connection. Missing SYN-ACK often means firewall or service not listening.Remember: "SYN-SYN/ACK-ACK = TCP three-way handshake." Flags in tcpdump: [S] = SYN, [S.] = SYN-ACK, [.] = ACK.
Gotcha: [R] = RST (connection reset) — often means port closed or firewall rejection.
4. What does -s 0 do in tcpdump and when should you use it?
Show answer
Sets snapshot length to capture the full packet (no truncation). Use it when you need complete payload data, such as when saving pcaps for detailed analysis. Default snaplen may truncate large packets.5. What is the difference between tcpdump -A and tcpdump -X?
Show answer
-A prints packet payload in ASCII only. -X prints payload in both hex and ASCII. Use -A for readable text protocols like HTTP; use -X for binary protocol inspection.6. What does seeing retransmissions in tcpdump output indicate?
Show answer
Packets are being sent but not acknowledged. Common causes: network congestion, packet loss, firewall dropping packets silently, or the remote host is too slow to respond. Look at timing gaps between retransmits.7. How do you capture only TCP or only UDP traffic?
Show answer
Use the protocol keyword as the filter: tcpdump -ni any tcp or tcpdump -ni any udp. Can be combined: tcpdump -ni any 'tcp port 443 or udp port 53'.🔴 Hard (3)¶
1. You run tcpdump and see zero packets. What are the most likely causes?
Show answer
Wrong interface (-i eth0 vs -i any), wrong network namespace (containers have separate namespaces), filter too restrictive, traffic offloaded by NIC hardware, or insufficient privileges (need root/CAP_NET_RAW).2. Describe a tcpdump workflow to debug DNS resolution failure.
Show answer
1. Run: tcpdump -ni any port 532. Trigger the DNS lookup (dig or application request)
3. Check: are queries leaving? Which resolver IP?
4. Check: are responses returning? What response code?
5. Look for retransmissions (resolver unreachable) or NXDOMAIN/SERVFAIL responses.
3. Can tcpdump decrypt HTTPS traffic? What can you still learn from it?