How to capture network traffic in Linux

Capturing network traffic on Linux reveals the actual packets traversing an interface, making connection problems, latency issues, and unexpected communication patterns visible. Packet-level inspection helps validate firewall rules, confirm application behavior, and detect suspicious or misconfigured traffic on a host or segment.

The tcpdump utility is a classic command-line packet sniffer that hooks into libpcap to capture traffic from a chosen network interface. Filters based on hosts, ports, and protocols keep the output focused, while options such as -n and -v control how much metadata is decoded and displayed during the capture.

Packet capture usually requires elevated privileges and can expose sensitive information such as cookies, credentials, or session tokens. Encrypting transport layers (for example, TLS) hides payloads but still leaves headers visible, so choosing the correct interface, narrowing the filters, and storing captured .pcap files securely is essential for safe analysis.

1. Open a terminal with access to sudo privileges.

   $ whoami
   root

2. Identify the network interface that carries the traffic of interest.

   $ ip address show
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet 192.0.2.53/32 scope global lo
          valid_lft forever preferred_lft forever
       inet 192.0.2.54/32 scope global lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
          valid_lft forever preferred_lft forever
   ##### snipped #####
   11: eth0@if311: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65535 qdisc noqueue state UP group default 
       link/ether c6:5e:17:82:1c:3e brd ff:ff:ff:ff:ff:ff link-netnsid 0
       inet 192.0.2.40/24 brd 192.0.2.255 scope global eth0
          valid_lft forever preferred_lft forever

   Choose the interface that corresponds to the network being investigated, for example eth0.

3. Ensure tcpdump is available on the system.

   $ sudo apt update && sudo apt install --assume-yes tcpdump

   On Ubuntu and Debian, tcpdump is provided by the standard apt repositories; other distributions offer it via their own package managers.

4. Capture all packets on the selected interface using tcpdump.

   $ sudo tcpdump --interface=eth0
   tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
   04:40:08.437384 IP linux-lab > api.example.net: ICMP echo request, id 17, seq 1, length 64
   04:40:08.466067 IP linux-lab.44100 > 192.0.2.53.domain: 19050+ PTR? 50.113.0.203.in-addr.arpa. (38)
   04:40:08.584442 IP api.example.net > linux-lab: ICMP echo reply, id 17, seq 1, length 64
   04:40:08.618465 IP 192.0.2.53.domain > linux-lab.44100: 19050 1/0/0 PTR api.example.net. (87)
   04:40:09.440297 IP linux-lab > api.example.net: ICMP echo request, id 17, seq 2, length 64
   04:40:09.491092 IP linux-lab.55475 > 192.0.2.53.domain: 45334+ PTR? 40.2.0.192.in-addr.arpa. (43)
   6 packets captured
   9 packets received by filter
   0 packets dropped by kernel

   This command captures all traffic on eth0 and displays packets in real time; use ctrl + C to stop the capture.

   Packet captures may include credentials and other sensitive data, so restrict access to the terminal session and any stored capture files.

5. Disable IP address name resolution for clearer, faster output.

   $ sudo tcpdump --interface=eth0 -n
   tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
   04:40:11.603686 IP 192.0.2.40 > 203.0.113.50: ICMP echo request, id 18, seq 1, length 64
   04:40:11.759245 IP 203.0.113.50 > 192.0.2.40: ICMP echo reply, id 18, seq 1, length 64
   04:40:12.610824 IP 192.0.2.40 > 203.0.113.50: ICMP echo request, id 18, seq 2, length 64
   04:40:12.760679 IP 203.0.113.50 > 192.0.2.40: ICMP echo reply, id 18, seq 2, length 64
   04:40:13.615020 IP 192.0.2.40 > 203.0.113.50: ICMP echo request, id 18, seq 3, length 64
   04:40:13.760101 IP 203.0.113.50 > 192.0.2.40: ICMP echo reply, id 18, seq 3, length 64
   6 packets captured
   6 packets received by filter
   0 packets dropped by kernel

   The -n option disables DNS lookups, which reduces noise and avoids delays caused by reverse name resolution.

6. Filter network traffic by a specific IP address to focus on one host.

   $ sudo tcpdump --interface=eth0 -n host 203.0.113.50
   tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
   04:40:15.704455 IP 192.0.2.40 > 203.0.113.50: ICMP echo request, id 19, seq 1, length 64
   04:40:15.851588 IP 203.0.113.50 > 192.0.2.40: ICMP echo reply, id 19, seq 1, length 64
   04:40:16.712081 IP 192.0.2.40 > 203.0.113.50: ICMP echo request, id 19, seq 2, length 64
   04:40:16.859638 IP 203.0.113.50 > 192.0.2.40: ICMP echo reply, id 19, seq 2, length 64
   
   4 packets captured
   4 packets received by filter
   0 packets dropped by kernel

7. Filter traffic further by restricting to a specific port on that host.

   $ sudo tcpdump --interface=eth0 -n host 203.0.113.50 and port 443
   tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
   6 packets captured
   24 packets received by filter
   0 packets dropped by kernel
   04:40:18.845940 IP 192.0.2.40.37246 > 203.0.113.50.443: Flags [S], seq 3523206949, win 65495, options [mss 65495,sackOK,TS val 741249114 ecr 0,nop,wscale 7], length 0
   04:40:18.993839 IP 203.0.113.50.443 > 192.0.2.40.37246: Flags [S.], seq 4115690214, ack 3523206950, win 65408, options [mss 65495,sackOK,TS val 3034067879 ecr 741249114,nop,wscale 7], length 0
   04:40:18.993890 IP 192.0.2.40.37246 > 203.0.113.50.443: Flags [.], ack 1, win 512, options [nop,nop,TS val 741249262 ecr 3034067879], length 0
   04:40:18.997011 IP 192.0.2.40.37246 > 203.0.113.50.443: Flags [P.], seq 1:518, ack 1, win 512, options [nop,nop,TS val 741249265 ecr 3034067879], length 517
   04:40:18.997396 IP 203.0.113.50.443 > 192.0.2.40.37246: Flags [.], ack 518, win 506, options [nop,nop,TS val 3034067882 ecr 741249265], length 0
   04:40:19.143879 IP 203.0.113.50.443 > 192.0.2.40.37246: Flags [P.], seq 1:1441, ack 518, win 4096, options [nop,nop,TS val 3034068029 ecr 741249265], length 1440

   Related: How to filter network traffic in tcpdump

8. Save the filtered packets to a .pcap file for later analysis.

   $ sudo tcpdump --interface=eth0 -n host 203.0.113.50 and port 443 -w /root/packet-dump.pcap
   tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
   6 packets captured
   23 packets received by filter
   0 packets dropped by kernel

   This command writes the capture to a file named packet-dump.pcap instead of printing packets to the terminal.

   Related: How to read and analyze a saved PCAP file using tcpdump
   Related: How to open and analyze PCAP files using Wireshark

9. Verify the saved packet capture file type to confirm it was created correctly.

   $ file /root/packet-dump.pcap
   /root/packet-dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

10. Read the saved capture file with tcpdump to replay and inspect the packets.

    $ tcpdump -r /root/packet-dump.pcap
    reading from file /root/packet-dump.pcap, link-type EN10MB (Ethernet), snapshot length 262144
    04:40:20.910100 IP linux-lab.37254 > 203.0.113.50.https: Flags [S], seq 3732636534, win 65495, options [mss 65495,sackOK,TS val 741251226 ecr 0,nop,wscale 7], length 0
    04:40:21.059905 IP 203.0.113.50.https > linux-lab.37254: Flags [S.], seq 2252347567, ack 3732636535, win 65408, options [mss 65495,sackOK,TS val 3034069991 ecr 741251226,nop,wscale 7], length 0
    04:40:21.059990 IP linux-lab.37254 > 203.0.113.50.https: Flags [.], ack 1, win 512, options [nop,nop,TS val 741251376 ecr 3034069991], length 0
    04:40:21.064010 IP linux-lab.37254 > 203.0.113.50.https: Flags [P.], seq 1:518, ack 1, win 512, options [nop,nop,TS val 741251380 ecr 3034069991], length 517
    04:40:21.064278 IP 203.0.113.50.https > linux-lab.37254: Flags [.], ack 518, win 506, options [nop,nop,TS val 3034069996 ecr 741251380], length 0
    04:40:21.212323 IP 203.0.113.50.https > linux-lab.37254: Flags [P.], seq 1:3295, ack 518, win 4096, options [nop,nop,TS val 3034069996 ecr 741251380], length 3294