Supplemental 74: tcpdump Complete Guide: Capturing at Command Line

Author: Patrick Luan de Mattos
Category: network-l1
Level: Intermediate
Generated: 2026-04-22T16:42:03.841Z

SUPPLEMENTAL CHAPTER: Serial 74

tcpdump Complete Guide: Capturing at the Command Line

Focus: BPF Syntax, Protocol Filters, Interface Selection, PCAP Write, Flow Following
Level: Intermediate

The command-line packet analyzer, tcpdump, is an indispensable tool for network professionals, security analysts, and developers alike. Its ability to capture and display network traffic in real-time, coupled with its powerful filtering capabilities, makes it a cornerstone for understanding network behavior, diagnosing connectivity issues, and investigating potential security incidents. This chapter provides a comprehensive guide to mastering tcpdump, delving deep into its syntax, filtering mechanisms, and practical applications, particularly for cybersecurity professionals keen on identifying potential threats like zerosdays or analyzing exploits.

While tools like Wireshark offer a graphical interface for packet analysis, tcpdump excels in environments where a GUI is unavailable or impractical, such as remote servers or embedded systems. Furthermore, its scripting capabilities allow for automated packet captures and analysis, crucial for continuous monitoring and incident response. Understanding tcpdump is not just about seeing packets; it's about dissecting network conversations, identifying anomalies, and ultimately, securing the network.

This chapter will equip you with the knowledge to effectively leverage tcpdump for a wide range of tasks. We will explore the intricacies of Berkeley Packet Filter (BPF) syntax for precise packet selection, learn how to target specific protocols and interfaces, understand how to save captured data for later analysis using the PCAP format, and discover techniques for following network flows. Whether you are investigating a suspected CVE-2026-5281 exploit, analyzing traffic patterns related to an anthropic claude code vulnerability, or simply troubleshooting a network problem, this guide will empower you to extract meaningful insights from your network traffic.

1. Introduction to tcpdump

tcpdump (packet dump) is a command-line packet sniffer that captures and displays network traffic. It operates by listening to network interfaces and, based on specified filters, records packets that match the criteria. The captured packets can be displayed directly on the console or saved to a file for offline analysis.

Core Functionality:

• Packet Capture: Intercepts network packets traversing a specified network interface.
• Filtering: Allows users to define precise criteria for which packets to capture, significantly reducing noise and focusing on relevant data.
• Display: Presents captured packets in a human-readable format, detailing packet headers and, optionally, payloads.
• File Output: Saves captured packets in the standard .pcap (packet capture) format, compatible with other network analysis tools like Wireshark.

Use Cases in Cybersecurity:

• Intrusion Detection: Identifying suspicious traffic patterns, unauthorized access attempts, or the presence of malware.
• Vulnerability Analysis: Capturing traffic related to known vulnerabilities (e.g., CVE-2026-5281, CVE-2026-20963) to understand exploit mechanics or confirm remediation.
• Incident Response: Gathering forensic data during a security incident for post-mortem analysis.
• Malware Analysis: Observing network communication of suspected malicious software.
• Threat Hunting: Proactively searching for signs of compromise or advanced persistent threats (APTs).
• Understanding Network Protocols: Deep diving into the intricacies of protocols like DNS (RFC 1035, RFC 2181) or TCP/IP.

Installation:

tcpdump is typically pre-installed on most Unix-like operating systems (Linux, macOS). On Debian/Ubuntu systems, you can install it using:

sudo apt update
sudo apt install tcpdump

On Red Hat/CentOS/Fedora systems:

sudo yum install tcpdump
# or
sudo dnf install tcpdump

2. Interface Selection

The first step in capturing traffic is to identify the network interface you want to monitor. tcpdump needs to know where to "listen."

Listing Available Interfaces:

To see a list of available network interfaces on your system, you can use the -D option:

sudo tcpdump -D

Example Output:

1.eth0 [Up, Running, Connected, Broadcom BCM57780 Gigabit Ethernet Controller]
2.eth1 [Up, Running, Connected, Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller]
3.lo [Up, Running, Loopback]
4.any (Pseudo-interface, traffic should not be captured on raw devices)
5.bluetooth0 [Down]

The output typically lists interfaces by number and name, along with a description. Common interface names include eth0, eth1 (for Ethernet), wlan0 (for Wi-Fi), and lo (for the loopback interface).

Specifying an Interface:

To capture traffic on a specific interface, use the -i option followed by the interface name or number.

# Capture traffic on eth0
sudo tcpdump -i eth0

# Capture traffic on interface number 1 (often eth0)
sudo tcpdump -i 1

Capturing on All Interfaces (with caution):

You can attempt to capture on all interfaces, but this can generate a massive amount of data and is generally not recommended unless you have a specific reason. The any pseudo-interface can be used, but it has limitations and might not capture all traffic depending on the operating system and hardware.

# Attempt to capture on all interfaces (use with caution)
sudo tcpdump -i any

Important Note on Permissions: Capturing network traffic requires root privileges. Always use sudo when running tcpdump unless your user has been specifically granted packet capture permissions.

3. Berkeley Packet Filter (BPF) Syntax

The power of tcpdump lies in its ability to filter traffic using the Berkeley Packet Filter (BPF) syntax. This allows you to specify exactly which packets you want to capture, dramatically improving efficiency and reducing the amount of data you need to analyze. BPF filters are evaluated on a per-packet basis by the kernel, making them very efficient.

BPF filters are composed of one or more expressions. An expression consists of one or more primitives. A primitive can be a name (e.g., an identifier for a host, network, or protocol), a number (e.g., an IP address, port number), or a name=value expression. Primitives can be combined using operators.

Basic Structure of a Filter:

[type] [direction] [proto] [qualifier]

• Type: host, net, port, portrange
• Direction: src, dst
• Protocol: tcp, udp, icmp, arp, ip, ip6, ether
• Qualifier: ether, fddi, tr, wlan, p80211, atm, link, ip, ip6, decnet, tcp, udp, icmp, arp, rarp, vlan, pppoe, pppoed, pppoes

Common Operators:

• and or &&: Logical AND
• or or ||: Logical OR
• not or !: Logical NOT
• (): Grouping expressions

Common Primitives and Examples:

1. Host-based Filtering:

   • host <hostname or IP>: Matches packets where the source or destination IP address is <hostname or IP>.

     # Capture traffic to/from host 192.168.1.100
     sudo tcpdump -i eth0 host 192.168.1.100

   • src host <hostname or IP>: Matches packets where the source IP address is <hostname or IP>.

     # Capture traffic originating from 192.168.1.100
     sudo tcpdump -i eth0 src host 192.168.1.100

   • dst host <hostname or IP>: Matches packets where the destination IP address is <hostname or IP>.

     # Capture traffic destined for 192.168.1.100
     sudo tcpdump -i eth0 dst host 192.168.1.100

2. Network-based Filtering:

   • net <network/mask>: Matches packets originating from or destined for a network.

     # Capture traffic to/from the 192.168.1.0/24 network
     sudo tcpdump -i eth0 net 192.168.1.0/24

   • src net <network/mask>: Matches packets originating from a network.
   • dst net <network/mask>: Matches packets destined for a network.

3. Port-based Filtering:

   • port <port number>: Matches packets where the source or destination port is <port number>.

     # Capture traffic on port 80 (HTTP)
     sudo tcpdump -i eth0 port 80

   • src port <port number>: Matches packets where the source port is <port number>.
   • dst port <port number>: Matches packets where the destination port is <port number>.
   • portrange <port1>-<port2>: Matches packets where the source or destination port falls within the specified range.

     # Capture traffic on ports 20-21 (FTP)
     sudo tcpdump -i eth0 portrange 20-21

4. Protocol Filtering:

   • tcp, udp, icmp, arp, ip, ip6: Filter by specific protocols.

     # Capture only ICMP traffic
     sudo tcpdump -i eth0 icmp
     
     # Capture only TCP traffic
     sudo tcpdump -i eth0 tcp
     
     # Capture only UDP traffic
     sudo tcpdump -i eth0 udp

   • You can combine protocol filters with other primitives.

     # Capture TCP traffic to/from host 192.168.1.100
     sudo tcpdump -i eth0 tcp and host 192.168.1.100
     
     # Capture UDP traffic on port 53 (DNS)
     sudo tcpdump -i eth0 udp port 53

5. Ethernet-level Filtering:

   • ether src <MAC address>: Matches packets with a specific source MAC address.

     # Capture traffic from a specific MAC address
     sudo tcpdump -i eth0 ether src 00:1A:2B:3C:4D:5E

   • ether dst <MAC address>: Matches packets with a specific destination MAC address.
   • ether proto <protocol type>: Matches packets with a specific Ethernet protocol type (e.g., ip, ip6, arp).

     # Capture non-IP traffic at the Ethernet layer
     sudo tcpdump -i eth0 ether proto \! ip

6. Advanced Filtering with Logical Operators:

   • and (&&), or (||), not (!) are crucial for building complex filters.

     # Capture traffic from 192.168.1.100 to 192.168.1.200 on port 80
     sudo tcpdump -i eth0 src host 192.168.1.100 and dst host 192.168.1.200 and tcp port 80
     
     # Capture traffic to or from host 192.168.1.50, but not on port 22 (SSH)
     sudo tcpdump -i eth0 host 192.168.1.50 and not port 22
     
     # Capture DNS queries (UDP port 53) from any host on the local network
     sudo tcpdump -i eth0 udp port 53

BPF Filter Examples for Security Analysis:

• Detecting potential exploit traffic:

  • Look for unusual port combinations or protocols. For example, if you suspect a CVE-2026-5281 exploit, you might try to filter for traffic patterns associated with that specific CVE if known, or look for unexpected outbound connections from critical servers.
  • Example: If a specific exploit is known to target a certain application port, you'd filter for that.

    # Hypothetical: Capture traffic to a known exploit target port
    sudo tcpdump -i eth0 dst port 12345

• Monitoring for specific command injection attempts:

  • While tcpdump itself cannot parse application-layer payloads for specific injection strings without advanced features or integration with other tools, you can filter for traffic to web servers (port 80/443) and then analyze the captured payloads.

    # Capture HTTP traffic
    sudo tcpdump -i eth0 tcp port 80

• Analyzing DNS anomalies:

  • DNS is a common vector for attacks. Monitoring DNS traffic can reveal malicious domain lookups or DNS tunneling.

    # Capture all DNS traffic
    sudo tcpdump -i eth0 udp port 53

  • This can help identify attempts to resolve domains associated with malware or phishing campaigns.

• Identifying suspicious outbound connections:

  • Many malware and botnets attempt to "phone home." Monitoring outbound connections can reveal such activity.

    # Capture outbound traffic from your network to external IPs on common C2 ports
    sudo tcpdump -i eth0 src net 192.168.1.0/24 and not dst net 192.168.1.0/24 and \( tcp port 80 or tcp port 443 or tcp port 8080 \)

    (This example captures outbound HTTP/HTTPS traffic from the local network to external IPs.)

• Detecting unauthorized network services:

  • If a server is compromised and starts offering new services, you might see unexpected traffic on certain ports.

    # Capture traffic on an unexpected port, e.g., 23 (Telnet) if it shouldn't be running
    sudo tcpdump -i eth0 tcp port 23

Note on any and Protocol Filtering: When using the any pseudo-interface, filtering by specific protocols like tcp or udp might not be as effective as on a physical interface, as it's capturing at a lower level. You might need to filter by Ethernet frame types if necessary.

4. Protocol Filters and Specific Protocols

tcpdump allows for granular filtering based on network protocols. This is essential for isolating specific types of communication.

Common Protocol Filters:

• ip: IPv4 packets.
• ip6: IPv6 packets.
• arp: ARP (Address Resolution Protocol) packets.
• rarp: Reverse ARP packets.
• icmp: ICMP (Internet Control Message Protocol) packets.
• icmp6: ICMPv6 packets.
• tcp: TCP (Transmission Control Protocol) packets.
• udp: UDP (User Datagram Protocol) packets.
• ether: Ethernet frames.
• vlan: VLAN tagged frames.

Combining Protocol Filters:

You can combine protocol filters using logical operators.

# Capture both TCP and UDP traffic
sudo tcpdump -i eth0 'tcp or udp'

# Capture IP traffic that is NOT TCP or UDP (e.g., ICMP, ARP)
sudo tcpdump -i eth0 'ip and not (tcp or udp)'

Deep Dive into Specific Protocols:

• TCP:

  • tcp[tcpflags] can be used to filter by TCP flags (SYN, ACK, FIN, RST, PSH, URG).

  • tcp[0:2] refers to the first two bytes of the TCP header.

  • tcp[13] refers to the TCP flags byte.

  • TCP Flags Byte Breakdown:

    • Bit 0: URG (Urgent Pointer field is significant)
    • Bit 1: ACK (Acknowledgment field is significant)
    • Bit 2: PSH (Push Function)
    • Bit 3: RST (Reset the connection)
    • Bit 4: SYN (Synchronize sequence numbers)
    • Bit 5: FIN (No more data from sender)

  • Example: Capturing TCP SYN packets (connection initiation):

    sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'

    The & (tcp-syn) != 0 checks if the SYN flag is set. tcp-syn is a shorthand for 0x02.

  • Example: Capturing TCP RST packets (connection reset):

    sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0'

    tcp-rst is a shorthand for 0x04.

  • Example: Capturing TCP FIN packets (connection termination):

    sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-fin) != 0'

    tcp-fin is a shorthand for 0x01.

  • Example: Capturing TCP ACK packets (acknowledgment):

    sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-ack) != 0'

    tcp-ack is a shorthand for 0x10.

  • Example: Capturing TCP SYN-ACK packets (server response to SYN):

    sudo tcpdump -i eth0 'tcp[tcpflags] = (tcp-syn|tcp-ack)'

    This checks if only SYN and ACK flags are set.

• UDP:

  • UDP is simpler, with no flags. Filtering is primarily done by port.
  • Example: Capturing DNS queries (UDP port 53):

    sudo tcpdump -i eth0 udp port 53

  • Example: Capturing NTP traffic (UDP port 123):

    sudo tcpdump -i eth0 udp port 123

• ICMP:

  • ICMP messages have types and codes.

  • icmp[icmptype] can be used to filter by ICMP message type.

  • Common ICMP Types:

    • 0: Echo Reply
    • 3: Destination Unreachable
    • 8: Echo Request
    • 11: Time Exceeded

  • Example: Capturing all ICMP Echo Requests (pings):

    sudo tcpdump -i eth0 'icmp[icmptype] == 8'

  • Example: Capturing all ICMP Destination Unreachable messages:

    sudo tcpdump -i eth0 'icmp[icmptype] == 3'

    This can be useful for troubleshooting connectivity issues.

• ARP:

  • ARP is used for IP to MAC address resolution.
  • arp[6:2] can filter by ARP operation code (1 for request, 2 for reply).
  • Example: Capturing ARP requests:

    sudo tcpdump -i eth0 'arp[6:2] == 1'

• DNS (RFC 1035, RFC 2181):

  • DNS typically runs over UDP port 53, but can also use TCP port 53 for zone transfers or large responses.
  • To analyze DNS traffic effectively, you'll typically filter for UDP port 53.

    sudo tcpdump -i eth0 udp port 53

  • You can then examine the packet payloads. For example, to identify queries for a specific domain:

    # Capture DNS queries and filter for a specific domain (requires analyzing payload)
    # This is more easily done with tools that dissect DNS packets, but tcpdump can capture it.
    sudo tcpdump -i eth0 udp port 53 -w dns_capture.pcap
    # Then analyze dns_capture.pcap with Wireshark or custom scripts.

  • For advanced DNS filtering, you might need to inspect specific byte offsets within the DNS packet structure, which can be complex.

Security Implications of Protocol Filtering:

• Identifying Malicious Protocols: Filtering for unusual or unexpected protocols can be a sign of compromise.
• Tracking Command and Control (C2) Channels: Many C2 channels use common protocols (HTTP, DNS) but with specific patterns. Filtering for these and analyzing payloads is key.
• Detecting Exploits: Some exploits rely on specific protocol behaviors or malformed packets. Filtering for those specific characteristics can help. For example, if a zerosday exploit targets a specific UDP service, capturing UDP traffic to that service's port would be crucial.

5. PCAP Write and Offline Analysis

Capturing live traffic is useful, but saving it to a PCAP file allows for deeper, offline analysis, collaboration, and forensic investigation.

Writing to a PCAP File:

The -w option tells tcpdump to write the captured packets to a file instead of displaying them on the console.

# Capture traffic on eth0 and save to capture.pcap
sudo tcpdump -i eth0 -w capture.pcap

Important Options for PCAP Writing:

• -s <snaplen>: Sets the snapshot length, which is the number of bytes to capture from each packet. A value of 0 means capture the entire packet. For full packet analysis, 0 or a sufficiently large value (e.g., 65535) is recommended.

  # Capture full packets and save to capture.pcap
  sudo tcpdump -i eth0 -s 0 -w capture.pcap

• -G <seconds>: Rotates capture files every <seconds> seconds. This is useful for long-running captures to prevent single files from becoming too large. The filename will include a timestamp.

  # Rotate capture files every 600 seconds (10 minutes)
  sudo tcpdump -i eth0 -s 0 -G 600 -w capture_%Y%m%d_%H%M%S.pcap

• -C <size>: Rotate capture files when they reach <size> megabytes.

  # Rotate capture files when they reach 100MB
  sudo tcpdump -i eth0 -s 0 -C 100 -w capture.pcap

Reading from a PCAP File:

The -r option tells tcpdump to read packets from a specified PCAP file. This allows you to re-analyze captured data or apply different filters.

# Read and display packets from capture.pcap
sudo tcpdump -r capture.pcap

# Read from capture.pcap and apply a new filter (e.g., only TCP traffic)
sudo tcpdump -r capture.pcap -w filtered_tcp.pcap 'tcp'

Combining Read and Write:

You can read from one PCAP file, apply filters, and write the results to a new PCAP file. This is extremely powerful for dissecting large captures.

# Read from all_traffic.pcap, filter for HTTP (port 80), and save to http_traffic.pcap
sudo tcpdump -r all_traffic.pcap -w http_traffic.pcap 'tcp port 80'

Using PCAP Files with Wireshark:

PCAP files are the standard format for network packet captures and can be opened and analyzed in detail using graphical tools like Wireshark.

# Capture to a file, then open with Wireshark
sudo tcpdump -i eth0 -s 0 -w security_incident.pcap
# ... later ...
wireshark security_incident.pcap

Security Analysis with PCAP Files:

• Forensic Investigation: PCAP files are crucial for reconstructing events during a security incident. You can go back and examine traffic that occurred before, during, and after an event.
• Malware Analysis: By capturing network traffic generated by a suspicious file or process, you can analyze its communication patterns, identify command and control servers, and understand its behavior.
• Exploit Analysis: If you have captured traffic during an exploit attempt (e.g., a CVE-2026-5281 exploit attempt), the PCAP file allows for detailed examination of the packets sent and received, helping to understand how the exploit works.
• Vulnerability Verification: After applying a vendor patch for a CVE, you can capture traffic to verify that the vulnerable service is no longer responding to exploit attempts.
• Threat Hunting: You can analyze historical PCAP data for signs of persistent threats or unauthorized activity that might have gone unnoticed.

Example: Analyzing a Suspected Anthropic Claude Code Vulnerability:

If you suspect a vulnerability in an AI coding assistant like Anthropic Claude might be exploited, you would:

1. Set up a capture: Run tcpdump on a relevant network segment or interface that the AI assistant's communication traverses.
2. Filter for relevant protocols: Focus on HTTP/HTTPS (ports 80/443) if it's a web-based service, or other relevant protocols based on the suspected vulnerability.

   sudo tcpdump -i eth0 -s 0 -w claude_traffic.pcap 'host <claude_server_ip> or host <your_client_ip>'

3. Trigger the suspected activity: Interact with the AI assistant in a way that might trigger the vulnerability.
4. Stop the capture.
5. Analyze claude_traffic.pcap:
   • Open the file in Wireshark.
   • Look for unusual requests, responses, or data patterns.
   • If the suspected vulnerability involves code injection or data exfiltration, examine the payload of HTTP POST requests or responses.
   • Search for keywords related to potential leaks or unauthorized access.
   • This analysis could help confirm or refute an anthropic claude code vulnerability or an anthropic claude code source code leak.

6. Flow Following and State Tracking

Understanding the complete conversation between two endpoints is often more insightful than looking at individual packets. tcpdump can, to some extent, help in following network flows, especially for TCP.

TCP State Tracking:

tcpdump can display TCP state information using the -T tcp option. This helps in understanding the lifecycle of a TCP connection.

sudo tcpdump -i eth0 -T tcp

This will attempt to decode TCP headers and provide more context about the connection state.

Following TCP Streams with tcpdump (Limited):

While tcpdump doesn't have a direct "follow stream" command like Wireshark, you can achieve a similar effect by:

1. Capturing the entire TCP session: Filter for the specific source and destination IPs and ports.
2. Saving to a PCAP file.
3. Analyzing with Wireshark: Wireshark's "Follow TCP Stream" feature is the standard and most effective way to reconstruct and view the entire data payload of a TCP conversation.

Example Scenario: Analyzing a Web Server Interaction:

Let's say you want to see the full HTTP conversation between your machine and a web server.

1. Capture the traffic:

   sudo tcpdump -i eth0 -s 0 host <web_server_ip> and tcp port 80 -w web_session.pcap

   (Replace <web_server_ip> with the actual IP.)

2. Perform the web browsing actions.

3. Stop the capture.

4. Open web_session.pcap in Wireshark.

5. Right-click on any packet belonging to the desired TCP session and select "Follow" -> "TCP Stream".

This will display all the data exchanged between your client and the web server in chronological order, effectively showing the HTTP requests and responses.

Why Flow Following is Important:

• Context: Individual packets are just pieces of a puzzle. A full stream shows the complete picture of a communication.
• Application Layer Analysis: To understand what an application is actually doing, you need to see the data it's sending and receiving.
• Troubleshooting: A broken TCP stream can indicate network issues, firewall blocks, or application errors.
• Security Incident Analysis: Reconstructing the flow of data can reveal how an attacker exfiltrated information or communicated with a compromised system. For instance, if you suspect data leakage related to a CVE-2023-41974, following the relevant TCP stream might show the exfiltrated data.

Advanced Techniques (Beyond basic tcpdump):

For more sophisticated flow analysis, especially with complex protocols or when dealing with encrypted traffic, you might need to:

• Use tshark: The command-line version of Wireshark, which has more advanced dissection and filtering capabilities.
• Leverage Intrusion Detection Systems (IDS): Systems like Snort or Suricata can actively monitor traffic and alert on suspicious flows.
• Employ Network Security Monitoring (NSM) tools: Dedicated NSM platforms often provide built-in flow analysis and visualization.

Considerations for Encrypted Traffic (TLS/SSL):

When traffic is encrypted (HTTPS), tcpdump can capture the encrypted packets, but it cannot decrypt the payload without the necessary decryption keys. If you are performing security analysis on encrypted traffic, you might need to:

• Use tcpdump with TLS decryption keys (if available and permitted).
• Analyze metadata: Even without decryption, analyzing packet sizes, timing, and destination IPs can reveal patterns.
• Focus on connection setup: The TLS handshake itself can sometimes reveal information or vulnerabilities.

7. Common tcpdump Options and Flags

Here's a summary of frequently used tcpdump options:

• -i <interface>: Specify the network interface to listen on.
• -D: List available network interfaces.
• -n: Do not resolve hostnames or port numbers (show IPs and port numbers). This can speed up capture and prevent DNS lookups.
• -nn: Do not resolve hostnames, port numbers, or protocol names.
• -v, -vv, -vvv: Increase verbosity of output.
• -X: Print packet content in both hexadecimal and ASCII.
• -A: Print packet content in ASCII.
• -l: Make stdout line buffered. Useful when piping tcpdump output.
• -s <snaplen>: Set snapshot length (bytes to capture per packet). 0 for full packets.
• -w <file>: Write raw packets to a file (PCAP format).
• -r <file>: Read packets from a file.
• -c <count>: Exit after capturing <count> packets.
• -F <file>: Read filter expression from a file.
• -E <alg:keyfile>: Decrypt IPsec or SSL/TLS traffic (requires specific key setup).
• -Z <user>: Change the user tcpdump runs as after opening the capture file.

Example Combining Options:

# Capture 100 packets on eth0, don't resolve IPs/ports, save to capture.pcap, show hex/ascii
sudo tcpdump -i eth0 -c 100 -nn -w capture.pcap -X

8. Security Analysis and Troubleshooting Guide

tcpdump is a powerful tool for both proactive security analysis and reactive troubleshooting.

Security Analysis Scenarios:

• Detecting Suspicious Outbound Traffic:
  • Problem: A server is exhibiting unusual network activity.
  • tcpdump Solution:

    sudo tcpdump -i eth0 -nn -s 0 -w outbound_suspicion.pcap 'src net <server_network> and not dst net <internal_network>'

    Analyze outbound_suspicion.pcap for connections to known malicious IPs, unusual ports, or unexpected protocols. This can help identify C2 communication or data exfiltration.
• Investigating a Potential Exploit Attempt (e.g., CVE-2026-5281):
  • Problem: A system is suspected of being targeted by a specific exploit.
  • tcpdump Solution:
    • If the exploit targets a known port, filter for that port: sudo tcpdump -i eth0 -nn -s 0 port <exploit_port> -w exploit_attempt.pcap
    • If the exploit uses specific protocols or flags, incorporate those into the filter: sudo tcpdump -i eth0 -nn -s 0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp port <target_port>' -w exploit_syn.pcap
    • Analyze the captured packets for malformed packets, unusual sequences, or payloads that match known exploit patterns.
• Monitoring for DNS Tunneling:
  • Problem: Data is being exfiltrated via DNS.
  • tcpdump Solution:

    sudo tcpdump -i eth0 -nn -s 0 udp port 53 -w dns_traffic.pcap

    Analyze dns_traffic.pcap in Wireshark for unusually long DNS queries or responses, or queries to suspicious domains.
• Detecting unauthorized network services:
  • Problem: A server is believed to be running an unauthorized service.
  • tcpdump Solution: Capture traffic on all ports or common unauthorized ports and analyze the destinations.

    sudo tcpdump -i eth0 -nn -s 0 -w unauthorized_ports.pcap 'tcp and not port 22 and not port 80 and not port 443'

    This would capture TCP traffic on ports other than common ones.

Troubleshooting Scenarios:

• Connectivity Issues:
  • Problem: A client cannot reach a server.
  • tcpdump Solution:
    • On the client:

      sudo tcpdump -i eth0 -nn -s 0 host <server_ip> and port <server_port> -w client_capture.pcap

      Check if SYN packets are sent, if SYN-ACKs are received, and if any ICMP errors (like Destination Unreachable) are present.
    • On the server:

      sudo tcpdump -i eth0 -nn -s 0 host <client_ip> and port <server_port> -w server_capture.pcap

      Check if SYN packets are received and if SYN-ACKs are sent.
    • On intermediate devices (if possible): Check for

This chapter is part of the "From Zero to Network Doctor" open textbook series. All examples are educational and use safe, lab-only environments.