How to capture network traffic on Linux

You can monitor and analyze network traffic in real-time on Linux systems using packet sniffing tools. tcpdump is a widely-used packet sniffer that is typically available in default package managers for most Linux distributions.

You can use tcpdump from the terminal to capture network packets in Linux.

Steps to capture network traffic in Linux:

Open the terminal.

Determine the network interface you wish to monitor for capturing network traffic.

$ ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c1:c7:27 brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.209/24 brd 192.168.111.255 scope global dynamic ens33
       valid_lft 1686sec preferred_lft 1686sec
    inet6 fe80::20c:29ff:fec1:c727/64 scope link
       valid_lft forever preferred_lft forever
3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c1:c7:31 brd ff:ff:ff:ff:ff:ff
    inet 10.1.11.168/24 brd 10.1.11.255 scope global dynamic ens38
       valid_lft 553sec preferred_lft 553sec
    inet6 fe80::20c:29ff:fec1:c731/64 scope link
       valid_lft forever preferred_lft forever

If not already installed, install tcpdump for your specific Linux distribution.
```
$ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
```

Run tcpdump for the chosen network interface.

$ sudo tcpdump --interface=ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:51:33.441598 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271
23:51:33.443678 IP host.38511 > _gateway.domain: 59312+ PTR? 255.111.168.192.in-addr.arpa. (46)
23:51:33.457610 IP _gateway.domain > host.38511: 59312 NXDomain*- 0/0/0 (46)
23:51:33.458205 IP host.36456 > _gateway.domain: 45040+ PTR? 1.111.168.192.in-addr.arpa. (44)
23:51:33.472273 IP _gateway.domain > host.36456: 45040 NXDomain*- 0/0/0 (44)
23:51:33.473799 IP host.48347 > _gateway.domain: 21130+ PTR? 2.111.168.192.in-addr.arpa. (44)
23:51:33.488758 IP _gateway.domain > host.48347: 21130 NXDomain*- 0/0/0 (44)

Prevent IP address to name resolution to enhance readability.

$ sudo tcpdump --interface=ens33 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:53:03.560835 IP 192.168.111.1.17500 > 192.168.111.255.17500: UDP, length 271
23:53:05.017192 ARP, Request who-has 192.168.111.209 tell 192.168.111.1, length 46
23:53:05.017275 ARP, Reply 192.168.111.209 is-at 00:0c:29:c1:c7:27, length 28
23:53:05.017603 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 0, length 64
23:53:05.017652 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 0, length 64
23:53:06.020939 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 1, length 64
23:53:06.021010 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 53521, seq 1, length 64
23:53:07.024389 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 53521, seq 2, length 64

Apply a filter to display network traffic exclusively to and from a specific IP address.

$ sudo tcpdump --interface=ens33 -n host 192.168.111.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:55:40.546464 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 0, length 64
23:55:40.546517 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 0, length 64
23:55:41.551452 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 1, length 64
23:55:41.551485 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 1, length 64
23:55:42.556106 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 2, length 64
23:55:42.556243 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 2, length 64
23:55:43.561055 IP 192.168.111.1 > 192.168.111.209: ICMP echo request, id 64017, seq 3, length 64
23:55:43.561094 IP 192.168.111.209 > 192.168.111.1: ICMP echo reply, id 64017, seq 3, length 64
23:55:43.955857 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [SEW], seq 3194582235, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243647685 ecr 0,sackOK,eol], length 0
23:55:43.955909 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [S.E], seq 4099266365, ack 3194582236, win 65160, options [mss 1460,sackOK,TS val 1285093713 ecr 243647685,nop,wscale 7], length 0
23:55:43.956230 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 0
23:55:43.956250 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243647685 ecr 1285093713], length 79: HTTP: GET / HTTP/1.1
23:55:43.956385 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285093713 ecr 243647685], length 0
23:55:43.957093 IP 192.168.111.209.80 > 192.168.111.1.53861: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285093714 ecr 243647685], length 7240: HTTP: HTTP/1.1 200 OK
23:55:43.957218 IP 192.168.111.1.53861 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243647686 ecr 1285093714], length 0

Use a filter to view traffic only for a particular port.

$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:56:55.050784 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [SEW], seq 2286192876, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243718593 ecr 0,sackOK,eol], length 0
23:56:55.050827 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [S.E], seq 3111916818, ack 2286192877, win 65160, options [mss 1460,sackOK,TS val 1285164808 ecr 243718593,nop,wscale 7], length 0
23:56:55.051071 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.051080 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243718593 ecr 1285164808], length 79: HTTP: GET / HTTP/1.1
23:56:55.051099 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 0
23:56:55.051375 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 7240: HTTP: HTTP/1.1 200 OK
23:56:55.051501 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285164808 ecr 243718593], length 3933: HTTP
23:56:55.051565 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.051570 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.051572 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.051573 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.051574 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243718593 ecr 1285164808], length 0
23:56:55.052608 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243718594 ecr 1285164808], length 0
23:56:55.053149 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243718595 ecr 1285164808], length 0
23:56:55.053527 IP 192.168.111.209.80 > 192.168.111.1.53869: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285164810 ecr 243718595], length 0
23:56:55.054224 IP 192.168.111.1.53869 > 192.168.111.209.80: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243718595 ecr 1285164810], length 0

Save the captured network packets to disk.

$ sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80 -w packet-dump.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C16 packets captured
16 packets received by filter
0 packets dropped by kernel

Confirm that the network traffic file is saved accurately.

$ file packet-dump.pcap
packet-dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

Use tcpdump to read the saved network packet dump.

$ tcpdump -r packet-dump.pcap
reading from file packet-dump.pcap, link-type EN10MB (Ethernet)
00:00:12.131083 IP 192.168.111.1.53895 > host.http: Flags [SEW], seq 863662690, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 243914992 ecr 0,sackOK,eol], length 0
00:00:12.131113 IP host.http > 192.168.111.1.53895: Flags [S.E], seq 2897562547, ack 863662691, win 65160, options [mss 1460,sackOK,TS val 1285361888 ecr 243914992,nop,wscale 7], length 0
00:00:12.131274 IP 192.168.111.1.53895 > host.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 0
00:00:12.131280 IP 192.168.111.1.53895 > host.http: Flags [P.], seq 1:80, ack 1, win 2058, options [nop,nop,TS val 243914992 ecr 1285361888], length 79: HTTP: GET / HTTP/1.1
00:00:12.131300 IP host.http > 192.168.111.1.53895: Flags [.], ack 80, win 509, options [nop,nop,TS val 1285361888 ecr 243914992], length 0
00:00:12.131855 IP host.http > 192.168.111.1.53895: Flags [.], seq 1:7241, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 7240: HTTP: HTTP/1.1 200 OK
00:00:12.131917 IP host.http > 192.168.111.1.53895: Flags [P.], seq 7241:11174, ack 80, win 509, options [nop,nop,TS val 1285361889 ecr 243914992], length 3933: HTTP
00:00:12.132149 IP 192.168.111.1.53895 > host.http: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.132180 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 1968, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.132184 IP 192.168.111.1.53895 > host.http: Flags [.], ack 5793, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.132185 IP 192.168.111.1.53895 > host.http: Flags [.], ack 8689, win 2002, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.132188 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 1963, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.132801 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11174, win 2048, options [nop,nop,TS val 243914993 ecr 1285361889], length 0
00:00:12.133426 IP 192.168.111.1.53895 > host.http: Flags [F.], seq 80, ack 11174, win 2048, options [nop,nop,TS val 243914994 ecr 1285361889], length 0
00:00:12.133545 IP host.http > 192.168.111.1.53895: Flags [F.], seq 11174, ack 81, win 509, options [nop,nop,TS val 1285361890 ecr 243914994], length 0
00:00:12.133772 IP 192.168.111.1.53895 > host.http: Flags [.], ack 11175, win 2048, options [nop,nop,TS val 243914994 ecr 1285361890], length 0

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a skilled cloud architect with a background in development, entrepreneurship, and open-source advocacy. As the founder of Simplified Guide, he helps others understand the complexities of computing, making tech concepts accessible to all.

Discuss the article:

Comment anonymously. Login not required.