Tcpdump is a command-line utility used to capture and analyze network traffic. It can capture packets in real-time, display them in a readable format, and store them in a PCAP (Packet Capture) file for later analysis. PCAP files are essential for performing detailed network diagnostics, as they contain raw network data that can be examined with tools like Wireshark.
A PCAP file records network packets, providing valuable insights into traffic patterns, protocols, and communication behavior. Tcpdump allows users to target specific network traffic by filtering based on protocols, hosts, or ports, which is useful for collecting only relevant packets. This helps reduce unnecessary data and keeps the PCAP file size manageable.
By using tcpdump to save data to a PCAP file, administrators can later inspect the traffic offline. This feature is critical for troubleshooting, detecting security issues, and performing forensic analysis. Capturing and storing network traffic in this format makes it easier to identify potential issues or anomalies in a more focused environment.
Steps to save traffic to a PCAP file:
- Open a terminal.
- Identify the network interface.
$ tcpdump -D 1.eth0 2.wlan0 3.lo
Use this list to identify the active network interface where you want to capture traffic.
- Choose the correct interface.
Select the appropriate network interface (e.g., eth0, wlan0) to monitor traffic.
- Start capturing traffic and save it to a PCAP file.
$ sudo tcpdump -i eth0 -w capture_output.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 1290 packets captured 1292 packets received by filter 0 packets dropped by kernel
This command starts capturing traffic on the eth0 interface and saves it to the file capture_output.pcap.
- Add filters to capture specific traffic.
$ sudo tcpdump -i eth0 host 192.168.1.10 -w host_traffic.pcap
This command captures traffic to and from the host 192.168.1.10 and saves it to the file host_traffic.pcap.
- Optionally, set a limit on the size of the capture file.
$ sudo tcpdump -i eth0 -C 100 -w limited_capture.pcap
This command limits the PCAP file size to 100MB, creating a new file when the size is exceeded. The files will be named sequentially, e.g., limited_capture.pcap, limited_capture1.pcap.
- Stop the capture manually.
Press Ctrl+C to stop the capture after you have collected enough data.
- Analyze the saved PCAP file.
$ tcpdump -r capture_output.pcap reading from file capture_output.pcap, link-type EN10MB (Ethernet) 10:15:25.543211 IP 192.168.1.10 > 192.168.1.1: ICMP echo request, id 7890, seq 1, length 64 10:15:25.543211 IP 192.168.1.1 > 192.168.1.10: ICMP echo reply, id 7890, seq 1, length 64
This command reads and displays the contents of the PCAP file for further analysis.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.