Posted on by admin

How to Troubleshoot with tcpdump

In the context of network troubleshooting, tcpdump is a powerful command-line tool used to capture and analyze network traffic in real-time. It allows network administrators, engineers, and security professionals to see what data is being transmitted over a network interface, helping diagnose issues like connectivity problems, network congestion, or malicious activity. At some point you will be expected to learn how to use tcpdump to solve network problems causing serious downtime.

There is significant anecdotal evidence that suggests network engineers spend most of their time troubleshooting problems that end up being an application error. Complaints and misplaced blame from application developers are quite common. By some estimates, application layer issues account for as much as 50-60% of all problems. The packet capture is used as proof to application developers that ‘its not the network’.

When it comes to in-depth troubleshooting of network and application issues, few tools are effective than tcpdump. Lightweight, flexible, and available on almost every UNIX distro, tcpdump lets you capture and analyze network packets directly from the command line. For network engineers and sysadmins, it’s an indispensable skill, especially when you need to diagnose issues quickly with tools like Wireshark.


Learn how to install and configure tcpdump on Ubuntu, and how to leverage it to troubleshoot network problems. There is coverage of filtering techniques and best practices for working efficiently with packet captures and wireshark. Download the tcpdump cheat sheet included with this article.

What is tcpdump

tcpdump is a command-line packet analyzer that allows users to capture network traffic on interfaces and import into Wireshark. It works by putting the network interface into promiscuous mode and intercept packets.

  • Fast and lightweight — ideal for servers and remote systems over SSH.
  • Flexible — supports complex filtering expressions.
  • Scriptable — easy to integrate into automated diagnostics and logging.
  • Widely available — included in most Linux distributions and BSD variants.

Common Use Cases

  • Verifying whether packets arrive or leave a web server.
  • Diagnosing slow or failing network connections.
  • Capturing traffic for later analysis in Wireshark.
  • Debugging application-layer protocols (HTTP, DNS, etc).
  • Security investigations and incident response.

Advantages of tcpdump

  • No GUI required: perfect for headless servers.
  • Powerful filtering capabilities.
  • Integration with Wireshark via .pcap> files.
  • Real-time visibility of packets and flows.
  • Easy to script for automation.
tcpdump cheat sheet

Installing tcpdump on Ubuntu

On Ubuntu (or any Debian-based system), installation is straightforward:

sudo apt update
sudo apt install tcpdump

Verify installation:

tcpdump --version

Typical output:

tcpdump version 4.99.3
libpcap version 1.10.4 (with TPACKET_V3)
OpenSSL 3.0.2  15 Mar 2022

Root privileges or capabilities are required to capture traffic. You can use sudo or set capabilities like:

sudo setcap cap_net_raw,cap_net_admin+eip /usr/sbin/tcpdump

Basic Usage

Start a packet capture of all traffic with no filters:

sudo tcpdump

List all interfaces (ens33, eth0, etc):

sudo tcpdump -D

Specify an interface for packet capture:

sudo tcpdump -i ens33

Stop capturing with Ctrl+C.

Common Flags

  • -i <interface> — specify network interface
  • -n — don’t resolve hostnames
  • -nn — don’t resolve hostnames or port names
  • -v, -vv, -vvv — increase verbosity
  • -c <count> — stop after capturing N packets
  • -w <file> — write to a .pcap file
  • -r <file> — read from a saved capture file

Example:

sudo tcpdump -i ens33 -c 50 -w capture.pcap

Read it later:

sudo tcpdump -r capture.pcap

Host Filters

Capture all packets on interface ens33 with source or destination host IP address 192.168.1.1 
sudo tcpdump -i ens33 host 192.168.1.1

Capture only packets on interface ens33 with source IP address 192.168.1.1

sudo tcpdump -i ens33 src host 192.168.1.1

Capture only packets on interface ens33 with destination IP address 192.168.1.1

sudo tcpdump -i ens33 dst host 192.168.1.1

Port Filters

Capture all packets on interface ens33 where source or destination port is 443 (HTTPS). 
sudo tcpdump -i ens33 port 443

Protocol Filters

Capture only TCP packets on interface ens33 
sudo tcpdump -i ens33 tcp

Capture only UDP packets on interface ens33

sudo tcpdump -i ens33 udp

Capture only ICMP packets on interface ens33

sudo tcpdump -i ens33 icmp

Logical Operators

Capture all packets on interface ens33 from 192.168.1.1 with destination TCP port 80.

sudo tcpdump -i ens33 'src host 192.168.1.1 and tcp dst port 80'

Capture all packets except those with either source or destination port 22 (SSH).

sudo tcpdump -i ens33 'not port 22'

Complex Filter Expressions

Capture all TCP port 443 (HTTPS) traffic with source or destination IP address 200.200.1.1 
sudo tcpdump -i ens33 'host 200.200.1.1 and tcp port 443'

Capture all packets on interface ens33 with source or destination IP address 200.200.1.1 and disable DNS/port number resolution. Each packet will also have a detailed timestamp.

sudo tcpdump -i ens33 -nn -tttt host 200.200.1.1

Capture all DNS query and response traffic to hosts on interface ens33 of DNS server.

sudo tcpdump -i ens33 port 53

Capture DNS queries sent via UDP to the Google DNS server (8.8.8.8)

sudo tcpdump -i ens33 'dst host 8.8.8.8 and udp dst port 53'

Capture all HTTP and HTTPS traffic on interface ens33 with verbose output enabled.

sudo tcpdump -i ens33 'tcp port 80 or port 443' -nn -vv

Capture HTTPS traffic on interface ens33 with source or destination IP address 192.168.1.1

sudo tcpdump -i ens33 'host 192.168.1.1 and port 443'

Capture detailed HTTPS traffic on interface ens33 to inspect SSL/TLS handshake processes.

sudo tcpdump -i ens33 tcp port 443 -nn -vvv

Capture all traffic on interface ens33 from subnet 192.168.1.0/24

sudo tcpdump -i ens33 net 192.168.1.0/24

Capture all packets on interface ens33 larger than 1000 bytes.

sudo tcpdump -i ens33 greater 1000

Capture only TCP packets on interface ens33 with the SYN flag set during the start of a connection.

sudo tcpdump -i ens33 'tcp[tcpflags] & tcp-syn != 0'

Save all HTTP and HTTPS traffic on interface ens33 to a capture file for later analysis.

sudo tcpdump -i ens33 -w web_traffic.pcap 'port 80 or port 443'

Capture all traffic on interface ens33 in 10-minute intervals, rotating through six files automatically.

sudo tcpdump -i ens33 -w trace_%Y-%m-%d_%H%M%S.pcap -G 600 -W 6

Performance Considerations and Best Practices

  • Always filter to minimize noise.
  • Use -n to avoid DNS resolution overhead.
  • Limit snap length with -s if payload is not needed:
sudo tcpdump -s 96 -w headers_only.pcap
  • Rotate files using -C or -G.
  • Use -tttt for timestamps.
  • Correlate packet captures with system and application logs.

Integrating tcpdump into Troubleshooting Workflows

  1. Identify the problem.
  2. Reproduce or wait for occurrence.
  3. Run a targeted tcpdump capture.
  4. Correlate packets with logs or firewall events.
  5. Analyze deeper in Wireshark if needed.

tcpdump is more than just a packet sniffer — it’s a powerful diagnostic and security tool that belongs in every network engineer and sysadmin toolkit. Its speed, flexibility, and portability make it ideal for troubleshooting everything from basic connectivity issues to complex application failures and security incidents.

  • Install and configure tcpdump on servers you manage.
  • Always apply filters to reduce noise and overhead.
  • Use timestamps and verbosity wisely to get meaningful data.
  • Save and rotate captures for deeper analysis.
  • Integrate tcpdump into your troubleshooting workflows.