tcpdump command in linux is a command-line packet analyzer that captures and filters network traffic in real time using libpcap.
sudo tcpdump -i any -c 5Syntax
tcpdump [ -A ] [ -c count ] [ -C file_size ] [ -D ] [ -i interface ] [ -l ] [ -n ] [ -nn ] [ -r file ] [ -s snaplen ] [ -S ] [ -v ] [ -vv ] [ -w file ] [ -W filecount ] [ -x ] [ -X ] [ --buffer-size=size ] [ --count ] [ --direction ] [ --dont-verify-checksums ] [ --help ] [ --immediate-mode ] [ --interface ] [ --ip-oneline ] [ --list-interfaces ] [ --version ] [ expression ]Options and Flags
| Flag | Type | Default | Description |
|---|---|---|---|
-i |
String (interface) | First available | Listen on specified interface. Use any for all interfaces. |
-c |
Integer | Unlimited | Exit after receiving count packets. |
-n |
Flag | Off | Do not resolve hostnames (faster, cleaner output). |
-nn |
Flag | Off | Do not resolve hostnames or port numbers. |
-v |
Flag | Off | Produce verbose output. Use -vv for more detail. |
-w |
String (file) | None | Write raw packets to a file (pcap format). |
-r |
String (file) | None | Read packets from a pcap file. |
-s |
Integer | 262144 bytes | Snapshot length; set 0 for full packet capture. |
-D |
Flag | None | List available network interfaces (index and name). |
-X |
Flag | Off | Print hex and ASCII of packet payload. |
-XX |
Flag | Off | Like -X but includes Ethernet header. |
-A |
Flag | Off | Print packet payload in ASCII only. |
-C |
Integer | Unlimited | Rotate dump file when size exceeds file_size (1,000,000 bytes). |
-W |
Integer | Unlimited | Limit number of rotated dump files (used with -C). |
--buffer-size |
Integer | System default | Set kernel capture buffer size in KiB (e.g., --buffer-size=4096). |
Usage Examples
Capture all traffic on a specific interface
sudo tcpdump -i eth0 -n -c 100Captures 100 packets on eth0 without hostname resolution. Useful for initial interface diagnostics.
Filter HTTP traffic on port 80 and save to file
sudo tcpdump -i any -w http_traffic.pcap -s 0 port 80Writes full-size HTTP packets (port 80) from all interfaces to a pcap file. Analyze later with tcpdump -r http_traffic.pcap -X.
Filter by source host and destination port
sudo tcpdump -i eth0 -nn src 192.168.1.10 and dst port 443Shows only outbound HTTPS traffic from a specific host, with numeric addresses and ports. Combine with -vv for full TCP handshake details.
Read a capture file and display payload in hex+ASCII
tcpdump -r captured.pcap -X -c 50Decodes the first 50 packets from a saved capture, showing hex dump and ASCII payload for deep inspection.
Troubleshooting & Common Errors
| Error Message | Root Cause | Resolution Command |
|---|---|---|
You don't have permission to capture on that device |
tcpdump requires root or CAP_NET_RAW | sudo tcpdump ... or grant capabilities: sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump |
tcpdump: no suitable device found |
Interface does not exist or is down | List interfaces with sudo tcpdump -D; check link status with ip link show |
tcpdump: pcap_activate: can't set promiscuous mode |
User lacks capability or interface in monitor mode | Run as root; verify interface supports promiscuous mode |
tcpdump: Warning: interface 'any' has unsupported link type (LINUX_SLL) |
Normal for the pseudo-device ‘any’ | Ignore or use a specific physical interface for Ethernet headers |
tcpdump: snaplen exceeds packet length |
Snapshot length larger than MTU | Set -s 0 for full packet; default 262144 is usually sufficient |
Performance Considerations and Tuning
Performance depends on kernel buffering, snapshot length, and file rotation. Key knobs:
- Buffer size:
--buffer-size=sizesets the kernel capture buffer in KiB. Default varies (often 2 MB). Larger buffers reduce drops under bursts. Example:tcpdump --buffer-size=4096 -i eth0. - Snapshot length (snaplen):
-struncates each packet; default 262144 bytes. Smaller values save memory. Example:tcpdump -s 64 -i eth0captures only headers. - File rotation:
-C file_sizerotates when file exceeds size (1,000,000 bytes).-W countlimits number of files. Example:tcpdump -i eth0 -w trace -C 100 -W 5rotates at 100 MB but keeps only 5 files. - Overhead reduction: Use
-nto skip DNS, and run on a specific interface (notany) to avoid the LINUX_SLL pseudo-header. tcpdump is single-threaded; run multiple instances on separate interfaces if needed.
On high-throughput links, increasing buffer size and reducing snaplen significantly decreases packet drops. The TPACKET_V3 kernel API (used automatically when available) provides a pre-allocated ring buffer for zero-copy capture.
Frequently Asked Questions
What is the difference between -i any and -i eth0?
Answer: -i any captures packets from all active interfaces; -i eth0 captures only from that specific interface. Using -i any requires root and disables hardware timestamping. -i eth0 allows link-layer headers and better performance on high-traffic interfaces.
# Capture on all interfaces
tcpdump -i any
# Capture only on eth0
tcpdump -i eth0When should I use the -c flag?
Answer: Use -c N to exit after capturing exactly N packets, ideal for automated scripts or limited sampling. Without -c, tcpdump runs until interrupted.
# Capture 10 packets then exit
sudo tcpdump -c 10 -i eth0How do I fix “tcpdump: no suitable device found”?
Answer: Run with sudo or verify interface existence with ip link show. This error occurs when the interface name is wrong or permissions are insufficient.
# Check available interfaces
ip link show
# Run with correct interface
sudo tcpdump -i eth0Does tcpdump work on all Linux distributions?
Answer: Yes, tcpdump is available on all major distros via libpcap. Install commands vary: apt, yum, dnf, zypper. The tool behavior is identical across distributions.
# Debian/Ubuntu
sudo apt-get install tcpdump
# RHEL/CentOS/Fedora
sudo yum install tcpdumpWhat is the fastest way to capture only HTTP GET requests?
Answer: Use a BPF filter that matches the bytes “GET ” in the TCP payload: tcp port 80 and (tcp[((tcp[12] & 0xf0) >> 2):4] = 0x47455420). This avoids post-capture filtering, reducing CPU overhead.
sudo tcpdump -i eth0 -A 'tcp port 80 and (tcp[((tcp[12] & 0xf0) >> 2):4] = 0x47455420)'
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.