tcpdump

📡 Hands-On with tcpdump: Capture, Filter, and Understand Network Traffic Like a Pro

Learn the basics of tcpdump with clear examples to start capturing and analyzing network traffic in your Linux environment or homelab.

Bryan Steele

29 Mar 2025 • 20 min read

Photo by Oleksandr Chumak / Unsplash

Ever wondered what's really flying across your network? Whether you're a homelabber, a budding network engineer, or just curious about what’s under the hood, tcpdump is a powerful CLI tool that gives you raw access to live network traffic.

In this hands-on tutorial, we’ll:

Capture your first packets
Use practical filters
Analyze common protocols
Save and inspect captures for later
Learn real-world use cases

Let’s fire up the terminal and get into the packets.

🧰 What You'll Need

A Linux system (physical, VM, or cloud-based)
Root/sudo access
Basic terminal skills
Internet access to generate real traffic

Install `tcpdump`

# Debian/Ubuntu
sudo apt update && sudo apt install tcpdump

# RHEL/Fedora/CentOS Stream
sudo dnf install tcpdump

🧪 Capture and Analyze Packets

Step 1: 🎛️ List All Network Interfaces

Before capturing packets, list available interfaces using:

sudo tcpdump -D

Output:

$ sudo tcpdump -D
1.wlan0 [Up, Running, Wireless]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.eth0 [Up, Disconnected]
5.bluetooth0 (Bluetooth adapter number 0) [Wireless, Association status unknown]
6.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
9.dbus-system (D-Bus system bus) [none]
10.dbus-session (D-Bus session bus) [none]

Here’s what the interfaces mean:

eth0, ens3, etc. – Wired Ethernet interfaces
wlan0 – Wireless interface (Wi-Fi)
lo – Loopback interface (local-only traffic like 127.0.0.1)
any – A special interface that listens on all available interfaces at once

🔍 Tip: If you're not sure which interface is active — or you want to capture from both Ethernet and Wi-Fi — use:

sudo tcpdump -i any

You can interrupt capturing by pressing Ctrl+C

$ sudo tcpdump --interface any
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:13:01.900957 wlan0 Out IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 300908122:300908358, ack 1768104395, win 632, options [nop,nop,TS val 1879296224 ecr 792529652], length 236
00:13:01.909205 wlan0 In  IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 236, win 2045, options [nop,nop,TS val 792529698 ecr 1879296224], length 0
00:13:01.968371 wlan0 Out IP 172.16.12.100.46832 > pi.hole.domain: 1769+ PTR? 100.12.16.172.in-addr.arpa. (44)
00:13:01.986482 wlan0 In  IP pi.hole.domain > 172.16.12.100.46832: 1769 NXDomain 0/1/0 (122)
00:13:01.986563 wlan0 Out IP 172.16.12.100.43015 > pi.hole.domain: 10424+ PTR? 89.12.16.172.in-addr.arpa. (43)
00:13:01.992153 wlan0 In  IP pi.hole.domain > 172.16.12.100.43015: 10424 NXDomain 0/1/0 (121)
00:13:01.992319 wlan0 Out IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 236:624, ack 1, win 632, options [nop,nop,TS val 1879296316 ecr 792529698], length 388
00:13:02.001502 wlan0 In  IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 624, win 2042, options [nop,nop,TS val 792529788 ecr 1879296316], length 0
00:13:02.072066 wlan0 Out IP 172.16.12.100.36966 > pi.hole.domain: 45883+ PTR? 10.10.10.10.in-addr.arpa. (42)
00:13:02.087355 wlan0 In  IP pi.hole.domain > 172.16.12.100.36966: 45883* 1/0/0 PTR pi.hole. (63)

---omitted for brevity---

00:15:49.834777 wlan0 In  IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 111404, win 2048, options [nop,nop,TS val 792697618 ecr 1879464148], length 0
^C
536 packets captured
541 packets received by filter
1 packet dropped by kernel
$

Step 2: 🔍 Identify Your Active Interface (Optional)

If you're not using any, you can check which interface has an IP:

ip a

Look for an interface with a valid IP address (e.g. eth0, wlan0, etc.).

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 172.16.12.100/25 brd 172.16.12.127 scope global dynamic noprefixroute wlan0
       valid_lft 77110sec preferred_lft 77110sec
    inet6 fe80::202:b3ff:fe1e:8329/64 scope global dynamic noprefixroute
       valid_lft 1796sec preferred_lft 1796sec
    inet6 fe80::202:b3ff:fe1e:8329/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Step 3: 🧲 Capture Your First 10 Packets

Let’s do a quick test to capture 10 packets:

sudo tcpdump -i wlan0 -c10

You can limit the number of packets captured and stop tcpdump by using the -c (for count) option:

You’ll see real-time traffic with details like:

$ sudo tcpdump -i wlan0 -c10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:25:38.488993 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 301039558:301039746, ack 1768105487, win 632, options [nop,nop,TS val 1880052812 ecr 793286239], length 188
00:25:38.503370 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 188, win 2046, options [nop,nop,TS val 793286266 ecr 1880052812], length 0
00:25:38.572356 IP 172.16.12.100.56055 > pi.hole.domain: 16570+ PTR? 100.12.16.172.in-addr.arpa. (44)
00:25:38.581035 IP pi.hole.domain > 172.16.12.100.56055: 16570 NXDomain 0/1/0 (122)
00:25:38.581107 IP 172.16.12.100.60082 > pi.hole.domain: 22039+ PTR? 89.12.16.172.in-addr.arpa. (43)
00:25:38.605568 IP pi.hole.domain > 172.16.12.100.60082: 22039 NXDomain 0/1/0 (121)
00:25:38.605715 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 188:560, ack 1, win 632, options [nop,nop,TS val 1880052929 ecr 793286266], length 372
00:25:38.613118 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 560, win 2043, options [nop,nop,TS val 793286384 ecr 1880052929], length 0
00:25:38.655680 IP 172.16.12.61.mdns > mdns.mcast.net.mdns: 0 [35a] [4q] PTR (QM)? _companion-link._tcp.local. PTR (QM)? _hap._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? _hap._udp.local. (1220)
00:25:38.656543 IP6 fe80::a9:eee6:7878:c2b5.mdns > ff02::fb.mdns: 0 [35a] [4q] PTR (QM)? _companion-link._tcp.local. PTR (QM)? _hap._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? _hap._udp.local. (1220)
10 packets captured
31 packets received by filter
0 packets dropped by kernel

Congrats! You're now watching raw packets move across your interface.

tcpdump resolves IP addresses and ports into names, by default. When troubleshooting network issues, it is often easier to use the IP addresses and port numbers. You can disable name resolution by using the option-n and port resolution with -nn:

$ sudo tcpdump -i wlan0 -c10 -nn
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:31:44.264537 IP 172.16.12.100.22 > 172.16.12.89.52752: Flags [P.], seq 301041970:301042158, ack 1768105923, win 632, options [nop,nop,TS val 1880418588 ecr 793652012], length 188
00:31:44.269252 IP 172.16.12.89.52752 > 172.16.12.100.22: Flags [.], ack 188, win 2046, options [nop,nop,TS val 793652034 ecr 1880418588], length 0
00:31:44.319941 IP 172.16.12.1.5353 > 224.0.0.251.5353: 0 [2q] ANY (QM)? xx.xx.xx.xx.in-addr.arpa. ANY (QM)? smarthome-nas-103137.local. (75)
00:31:44.319968 IP xx.xx.xx.xx.5353 > 224.0.0.251.5353: 0 [2q] [2n] ANY (QM)? smarthome-nas-103137.local. ANY (QM)? xx.xx.xx.xx.in-addr.arpa. (105)
00:31:44.321831 IP xx.xx.xx.xx.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/0 (Cache flush) PTR pi-60241.local. (65)
00:31:44.352271 IP 172.16.12.100.22 > 172.16.12.89.52752: Flags [P.], seq 188:960, ack 1, win 632, options [nop,nop,TS val 1880418676 ecr 793652034], length 772
00:31:44.369580 IP 172.16.12.89.52752 > 172.16.12.100.22: Flags [.], ack 960, win 2036, options [nop,nop,TS val 793652133 ecr 1880418676], length 0
00:31:44.456107 IP 172.16.12.100.22 > 172.16.12.89.52752: Flags [P.], seq 960:1308, ack 1, win 632, options [nop,nop,TS val 1880418780 ecr 793652133], length 348
00:31:44.465759 IP 172.16.12.89.52752 > 172.16.12.100.22: Flags [.], ack 1308, win 2043, options [nop,nop,TS val 793652229 ecr 1880418780], length 0
00:31:44.560102 IP 172.16.12.100.22 > 172.16.12.89.52752: Flags [P.], seq 1308:1656, ack 1, win 632, options [nop,nop,TS val 1880418884 ecr 793652229], length 348
10 packets captured
11 packets received by filter
0 packets dropped by kernel

Step 4: 🧼 Filter the Noise — Capture Only ICMP (Ping)

sudo tcpdump -i wlan0 icmp

Now generate some ping traffic from another terminal:

$ ping example.com
PING example.com (96.7.128.198) 56(84) bytes of data.
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=1 ttl=50 time=70.9 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=2 ttl=50 time=70.2 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=3 ttl=50 time=68.2 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=4 ttl=50 time=69.7 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=5 ttl=50 time=72.3 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=6 ttl=50 time=69.2 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=7 ttl=50 time=68.9 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=8 ttl=50 time=71.0 ms
64 bytes from a96-7-128-198.deploy.static.akamaitechnologies.com (96.7.128.198): icmp_seq=9 ttl=50 time=70.1 ms
^C
--- example.com ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8011ms
rtt min/avg/max/mdev = 68.167/70.045/72.256/1.157 ms

Each packet shows up in your tcpdump terminal — requests and replies.

$ sudo tcpdump -i wlan0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:56:03.917297 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 1, length 64
00:56:03.988157 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 1, length 64
00:56:04.919144 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 2, length 64
00:56:04.989359 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 2, length 64
00:56:05.920419 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 3, length 64
00:56:05.988578 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 3, length 64
00:56:06.921981 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 4, length 64
00:56:06.991674 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 4, length 64
00:56:07.922931 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 5, length 64
00:56:07.995178 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 5, length 64
00:56:08.924161 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 6, length 64
00:56:08.993336 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 6, length 64
00:56:09.925440 IP 172.16.12.100 > a96-7-128-198.deploy.static.akamaitechnologies.com: ICMP echo request, id 7, seq 7, length 64
00:56:09.994379 IP a96-7-128-198.deploy.static.akamaitechnologies.com > 172.16.12.100: ICMP echo reply, id 7, seq 7, length 64
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel

Step 5: 🌐 Capture HTTP Traffic (Port 80)

Want to inspect unencrypted web traffic?

sudo tcpdump -i wlan0 port 80

Then, in a separate terminal:

curl http://example.com

You’ll capture request and response packets.

$ sudo tcpdump -i wlan0 port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:46:29.774212 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1644184790, win 64240, options [mss 1460,sackOK,TS val 4061182876 ecr 0,nop,wscale 7], length 0
00:46:29.845312 IP a96-7-128-198.deploy.static.akamaitechnologies.com.http > 172.16.12.100.54744: Flags [S.], seq 4113847738, ack 1644184791, win 65160, options [mss 1460,sackOK,TS val 3591842727 ecr 4061182876,nop,wscale 7], length 0
00:46:29.845333 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 4061182947 ecr 3591842727], length 0
00:46:29.845371 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [P.], seq 1:76, ack 1, win 502, options [nop,nop,TS val 4061182947 ecr 3591842727], length 75: HTTP: GET / HTTP/1.1
00:46:29.922102 IP a96-7-128-198.deploy.static.akamaitechnologies.com.http > 172.16.12.100.54744: Flags [.], ack 76, win 509, options [nop,nop,TS val 3591842805 ecr 4061182947], length 0
00:46:29.923321 IP a96-7-128-198.deploy.static.akamaitechnologies.com.http > 172.16.12.100.54744: Flags [.], seq 1:1449, ack 76, win 509, options [nop,nop,TS val 3591842806 ecr 4061182947], length 1448: HTTP: HTTP/1.1 200 OK
00:46:29.923329 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [.], ack 1449, win 524, options [nop,nop,TS val 4061183025 ecr 3591842806], length 0
00:46:29.923349 IP a96-7-128-198.deploy.static.akamaitechnologies.com.http > 172.16.12.100.54744: Flags [P.], seq 1449:1519, ack 76, win 509, options [nop,nop,TS val 3591842806 ecr 4061182947], length 70: HTTP
00:46:29.923353 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [.], ack 1519, win 524, options [nop,nop,TS val 4061183025 ecr 3591842806], length 0
00:46:29.923463 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [F.], seq 76, ack 1519, win 524, options [nop,nop,TS val 4061183025 ecr 3591842806], length 0
00:46:30.010380 IP a96-7-128-198.deploy.static.akamaitechnologies.com.http > 172.16.12.100.54744: Flags [F.], seq 1519, ack 77, win 509, options [nop,nop,TS val 3591842882 ecr 4061183025], length 0
00:46:30.010394 IP 172.16.12.100.54744 > a96-7-128-198.deploy.static.akamaitechnologies.com.http: Flags [.], ack 1520, win 524, options [nop,nop,TS val 4061183112 ecr 3591842882], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

Step 6: 💾 Save Traffic to a PCAP File

Sometimes you need to capture traffic for later analysis:

sudo tcpdump -i wlan0 -w capture.pcap

Then replay it later with:

tcpdump -r capture.pcap

Or open it in Wireshark for a visual deep-dive.

Step 7: 🎯 Advanced Filtering (host, src, dst, port)

Get specific about what you want to see:

# Traffic to/from a specific host

$ sudo tcpdump -i wlan0 host 172.16.12.100 -c10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:04:37.633038 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 301205426:301205614, ack 1768115879, win 632, options [nop,nop,TS val 1882391957 ecr 795625327], length 188
01:04:37.640102 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 188, win 2046, options [nop,nop,TS val 795625350 ecr 1882391957], length 0
01:04:37.720356 IP 172.16.12.100.60758 > pi.hole.domain: 47826+ PTR? 100.12.16.172.in-addr.arpa. (44)
01:04:37.731104 IP pi.hole.domain > 172.16.12.100.60758: 47826 NXDomain 0/1/0 (122)
01:04:37.731178 IP 172.16.12.100.55110 > pi.hole.domain: 62517+ PTR? 89.12.16.172.in-addr.arpa. (43)
01:04:37.738805 IP pi.hole.domain > 172.16.12.100.55110: 62517 NXDomain 0/1/0 (121)
01:04:37.738941 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 188:560, ack 1, win 632, options [nop,nop,TS val 1882392062 ecr 795625350], length 372
01:04:37.747455 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 560, win 2043, options [nop,nop,TS val 795625460 ecr 1882392062], length 0
01:04:37.824051 IP 172.16.12.100.59823 > pi.hole.domain: 48275+ PTR? 10.10.10.10.in-addr.arpa. (42)
01:04:37.833581 IP pi.hole.domain > 172.16.12.100.59823: 48275* 1/0/0 PTR pi.hole. (63)
10 packets captured
12 packets received by filter
0 packets dropped by kernel

# Only incoming packets

$ sudo tcpdump -i wlan0 dst host 172.16.12.100 -c10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:03:35.658983 ARP, Request who-has 172.16.12.100 (2c:cf:67:9a:e9:10 (oui Unknown)) tell 172.16.12.89, length 28
01:03:35.659894 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 301200354, win 2046, options [nop,nop,TS val 795563372 ecr 1882329977], length 0
01:03:35.675803 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [P.], seq 0:36, ack 1, win 2048, options [nop,nop,TS val 795563390 ecr 1882329977], length 36
01:03:35.746905 IP pi.hole.domain > 172.16.12.100.53192: 44062 NXDomain 0/1/0 (122)
01:03:35.753569 IP pi.hole.domain > 172.16.12.100.44260: 25159 NXDomain 0/1/0 (121)
01:03:35.759355 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 469, win 2041, options [nop,nop,TS val 795563474 ecr 1882330077], length 0
01:03:35.852967 IP pi.hole.domain > 172.16.12.100.45732: 57997* 1/0/0 PTR pi.hole. (63)
01:03:35.861125 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 825, win 2043, options [nop,nop,TS val 795563575 ecr 1882330177], length 0
01:03:35.952067 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 1101, win 2044, options [nop,nop,TS val 795563666 ecr 1882330272], length 0
01:03:36.062554 IP 172.16.12.89.52752 > 172.16.12.100.ssh: Flags [.], ack 1289, win 2046, options [nop,nop,TS val 795563776 ecr 1882330376], length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel
bryan@myPi:~ $

# DNS traffic

$ sudo tcpdump -i wlan0 udp port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:07:07.524353 IP 172.16.12.100.35748 > pi.hole.domain: 16213+ A? example.com. (29)
01:07:07.524364 IP 172.16.12.100.35748 > pi.hole.domain: 35882+ AAAA? example.com. (29)
01:07:07.536218 IP pi.hole.domain > 172.16.12.100.35748: 16213 6/0/0 A 23.215.0.138, A 96.7.128.175, A 96.7.128.198, A 23.192.228.80, A 23.192.228.84, A 23.215.0.136 (125)
01:07:07.542710 IP pi.hole.domain > 172.16.12.100.35748: 35882 6/0/0 AAAA 2600:1408:ec00:36::1736:7f24, AAAA 2600:1408:ec00:36::1736:7f31, AAAA 2600:1406:3a00:21::173e:2e65, AAAA 2600:1406:3a00:21::173e:2e66, AAAA 2600:1406:bc00:53::b81e:94c8, AAAA 2600:1406:bc00:53::b81e:94ce (197)
01:07:07.558996 IP 172.16.12.100.46024 > pi.hole.domain: 48709+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:07.592340 IP 172.16.12.100.40383 > pi.hole.domain: 28576+ PTR? 100.12.16.172.in-addr.arpa. (44)
01:07:07.605998 IP pi.hole.domain > 172.16.12.100.40383: 28576 NXDomain 0/1/0 (122)
01:07:07.606094 IP 172.16.12.100.44082 > pi.hole.domain: 64195+ PTR? 10.10.10.10.in-addr.arpa. (42)
01:07:07.613619 IP pi.hole.domain > 172.16.12.100.44082: 64195* 1/0/0 PTR pi.hole. (63)
01:07:07.717109 IP pi.hole.domain > 172.16.12.100.46024: 48709 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:08.560267 IP 172.16.12.100.54182 > pi.hole.domain: 20691+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:08.566863 IP pi.hole.domain > 172.16.12.100.54182: 20691 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:09.561318 IP 172.16.12.100.50382 > pi.hole.domain: 18423+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:09.567691 IP pi.hole.domain > 172.16.12.100.50382: 18423 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:10.570940 IP 172.16.12.100.59955 > pi.hole.domain: 21591+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:10.582997 IP pi.hole.domain > 172.16.12.100.59955: 21591 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:11.566723 IP 172.16.12.100.56271 > pi.hole.domain: 46078+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:11.579956 IP pi.hole.domain > 172.16.12.100.56271: 46078 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:12.568476 IP 172.16.12.100.50063 > pi.hole.domain: 56327+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:12.579856 IP pi.hole.domain > 172.16.12.100.50063: 56327 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:13.569550 IP 172.16.12.100.49144 > pi.hole.domain: 11513+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:13.575971 IP pi.hole.domain > 172.16.12.100.49144: 11513 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
01:07:14.570606 IP 172.16.12.100.44037 > pi.hole.domain: 61033+ PTR? 138.0.215.23.in-addr.arpa. (43)
01:07:14.577379 IP pi.hole.domain > 172.16.12.100.44037: 61033 1/0/0 PTR a23-215-0-138.deploy.static.akamaitechnologies.com. (107)
^C
24 packets captured
24 packets received by filter
0 packets dropped by kernel

Mix and match filters using and, or, and not:

$ sudo tcpdump -i wlan0 src host 172.16.12.100 and tcp port 22
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:19:47.513044 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 301265890:301266078, ack 1768135455, win 632, options [nop,nop,TS val 1883301837 ecr 796535184], length 188
01:19:47.627528 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 188:408, ack 1, win 632, options [nop,nop,TS val 1883301951 ecr 796535184], length 220
01:19:47.700072 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 408:612, ack 1, win 632, options [nop,nop,TS val 1883302024 ecr 796535328], length 204
01:19:47.804076 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 612:816, ack 1, win 632, options [nop,nop,TS val 1883302128 ecr 796535401], length 204
01:19:47.908055 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 816:1020, ack 1, win 632, options [nop,nop,TS val 1883302232 ecr 796535541], length 204
01:19:48.012052 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 1020:1224, ack 1, win 632, options [nop,nop,TS val 1883302336 ecr 796535610], length 204
01:19:48.116100 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 1224:1428, ack 1, win 632, options [nop,nop,TS val 1883302440 ecr 796535716], length 204
01:19:48.220070 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 1428:1632, ack 1, win 632, options [nop,nop,TS val 1883302544 ecr 796535819], length 204
01:19:48.324093 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 1632:1836, ack 1, win 632, options [nop,nop,TS val 1883302648 ecr 796535923], length 204
01:19:48.428071 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 1836:2040, ack 1, win 632, options [nop,nop,TS val 1883302752 ecr 796536027], length 204
01:19:48.532062 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 2040:2244, ack 1, win 632, options [nop,nop,TS val 1883302856 ecr 796536213], length 204
01:19:48.636074 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 2244:2448, ack 1, win 632, options [nop,nop,TS val 1883302960 ecr 796536232], length 204
01:19:48.740070 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 2448:2652, ack 1, win 632, options [nop,nop,TS val 1883303064 ecr 796536345], length 204
01:19:48.844071 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 2652:2856, ack 1, win 632, options [nop,nop,TS val 1883303168 ecr 796536442], length 204
01:19:48.948067 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 2856:3060, ack 1, win 632, options [nop,nop,TS val 1883303272 ecr 796536548], length 204
01:19:49.052067 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 3060:3264, ack 1, win 632, options [nop,nop,TS val 1883303376 ecr 796536651], length 204
01:19:49.156074 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 3264:3468, ack 1, win 632, options [nop,nop,TS val 1883303480 ecr 796536771], length 204
01:19:49.260062 IP 172.16.12.100.ssh > 172.16.12.89.52752: Flags [P.], seq 3468:3672, ack 1, win 632, options [nop,nop,TS val 1883303584 ecr 796536873], length 204
^C
18 packets captured
21 packets received by filter
0 packets dropped by kernel

This walkthrough covers just the basics to help you start using tcpdump effectively. With practice, you’ll unlock its full potential for in-depth network analysis and troubleshooting.

💼 Real-World Use Cases

✅ Troubleshoot Latency: Identify retransmissions or dropped packets
✅ Diagnose DNS Failures: Watch for slow or malformed DNS responses
✅ Verify Firewall Rules: Confirm blocked or allowed traffic
✅ Audit Service Activity: Monitor what services like Nginx or SSH are doing
✅ Hunt for Malware: Spot suspicious outbound connections

🧠 Bonus: Clean Up and Clarify the Output

As I mentioned earlier, by default, tcpdump tries to be helpful by resolving IP addresses to hostnames and port numbers to service names (like 80 → http). But that can slow things down or clutter the output — especially when you're troubleshooting.

You can clean that up using:

sudo tcpdump -i wlan0 -nn -vvv

Here’s what each flag does:

🔹 `-nn`

This tells tcpdump not to:

Convert IP addresses to hostnames (e.g., 8.8.8.8 stays 8.8.8.8, not dns.google)
Convert port numbers to service names (e.g., 443 stays 443, not https)

This makes the output:

Faster to load (because there’s no reverse DNS lookups)
Easier to scan when you want to see exact IPs and ports

🔹 `-vvv`

This increases verbosity, giving you as much detail as possible about each packet.

You’ll see:

TTL (Time to Live)
IP ID fields
TCP flags (e.g., SYN, ACK, FIN)
Window size
Sequence and acknowledgment numbers
DNS query and response details
And more protocol-specific info

🔍 When to use:
Use -nn -vvv when you’re deep diving into protocol behavior, inspecting a suspicious packet, or analyzing traffic patterns like a pro.

✅ Wrap-Up: What You Learned

By completing this exercise, you’ve learned how to:

List and select network interfaces (including any)
Capture and filter live packet data
Save and analyze .pcap files
Troubleshoot real-world network issues

You're now equipped to start digging into the invisible world of packets — whether for learning, labbing, or problem-solving.

💬 Got questions or want to share your favorite tcpdump tricks?
Drop a comment or ping me — I’d love to hear from you.

Until next time — keep labbing, keep learning, and keep listening to your network.

— Bryan Steele
Network Practitioner for the Information Superhighway and its World Wide of Webs