# tcpdump ## What is tcpdump Tcpdump is a powerful command-line packet analyzer available on Unix and Linux systems. It captures network packets and displays information about them in the terminal. Unlike Wireshark which has a graphical interface, tcpdump runs entirely in the command line making it ideal for use on servers and remote systems that do not have a graphical interface. Tcpdump can write captured packets to a file which can later be opened in Wireshark for graphical analysis. ## Basic tcpdump Usage Running tcpdump requires root or administrator privileges because it needs to access the network interface in promiscuous mode. Running tcpdump without options captures all packets on the default interface and displays them in the terminal. The output for each packet shows the timestamp, the source and destination addresses and ports, the protocol, and packet details. Pressing Control-C stops the capture and shows a summary of packets captured. ## Specifying the Interface The dash i option specifies which network interface to capture on. Running tcpdump dash i eth0 captures packets on the eth0 interface. Running tcpdump dash i any captures on all interfaces. The dash D option lists all available interfaces. ## Filtering Packets Tcpdump uses BPF filter expressions to capture only packets matching specific criteria. Running tcpdump host 192.168.1.1 captures only packets involving that IP address. Running tcpdump port 80 captures only HTTP traffic on port 80. Running tcpdump tcp captures only TCP packets. Filters can be combined with and, or, and not. For example tcpdump host 192.168.1.1 and port 443 captures only HTTPS traffic involving that host. ## Saving to a File The dash w option writes captured packets to a file in pcap format. For example tcpdump dash w capture.pcap saves all captured packets to a file. This file can later be opened in Wireshark for detailed analysis. The dash r option reads packets from a pcap file and displays them. This allows tcpdump to be used as a lightweight way to capture packets on a remote server and then analyze them locally in Wireshark. ## Useful tcpdump Options The dash n option disables DNS resolution of IP addresses to hostnames, making output faster and avoiding DNS lookups during capture. The dash v option provides more verbose output. The dash vv option provides even more detail. The dash x option displays packet data in hexadecimal. The dash A option displays packet data in ASCII which is useful for inspecting HTTP traffic. The dash c option specifies the number of packets to capture before stopping.