← Lessons

quiz vs the machine

Gold1400

Networking

The Tcpdump Capture

Grabbing packets off the wire from the command line.

5 min read · core · beat Gold to climb

Capturing The Raw Traffic

When higher level tools cannot explain a problem, you drop down to the packets themselves. The tcpdump tool captures packets from a network interface and prints or saves them for inspection.

Filters Keep It Manageable

A busy interface sees too much to read, so capture filters narrow the view.

  • You can filter by host to see only traffic to or from one address.
  • You can filter by port to focus on one service such as port 443.
  • You can combine terms with and and or to be precise.

These capture filters run in the kernel, so unwanted packets are dropped before they reach you.

Saving For Later

Printing to the screen is fine for a quick look, but you usually write packets to a capture file. That file can be reopened later or moved to a graphical analyzer. Capturing on the right interface and applying a tight filter keeps the file small and the signal high.

Key idea

Tcpdump captures packets from an interface and uses kernel capture filters by host and port to keep the view focused, and writing matches to a capture file lets you reopen or analyze them later.

Check yourself

Answer to earn rating on the learn ladder.

1. Why use a capture filter with tcpdump?

2. What is the benefit of saving packets to a capture file?