tcpdump is a command-line packet analyzer that captures and displays network traffic in real time. It is an essential tool for network troubleshooting, security analysis, and protocol debugging. On the CompTIA Network+ N10-009 exam, packet analysis tools like tcpdump appear in Domain 5.0 (Network Troubleshooting) under Objective 5.6, which covers using appropriate tools to troubleshoot network issues. While not a major percentage of the exam (estimated 5-10% of troubleshooting questions), understanding tcpdump syntax and output is critical for scenario-based questions where you must interpret packet captures to identify problems like duplicate IP addresses, ARP spoofing, or slow performance.
Jump to a section
Imagine you are a security guard in a large office building with many phone lines. Your job is to listen in on specific calls to monitor for suspicious activity, but you cannot listen to all calls at once—you can only tap into one line at a time. You have a special device that can record the audio of any call you select. You can choose to record only calls to a certain phone number, or only calls lasting more than five minutes, or only calls that mention a specific keyword. The device shows you a live transcript of each call as it happens, but it does not interpret the conversation for you—it just shows the raw words spoken. To analyze the transcript later, you might use a separate tool to search for patterns or reconstruct the conversation. Similarly, tcpdump captures raw network packets on a selected interface, applying filters to narrow down traffic, and displays the packet headers and payload in a human-readable format. It does not perform deep analysis itself; that is left to tools like Wireshark. The key is that tcpdump gives you the raw data you need to troubleshoot network issues, just as the audio recorder gives you the raw conversation to review for security incidents.
What is tcpdump?
tcpdump is a powerful command-line network packet analyzer originally developed at Lawrence Berkeley National Laboratory. It runs on Unix-like operating systems (Linux, macOS, BSD) and uses the libpcap library to capture raw network frames from a network interface. It can display packet headers and payload in various formats, apply BPF (Berkeley Packet Filter) expressions to filter traffic, and write captures to a file for later analysis with tools like Wireshark or tcpdump -r.
Why tcpdump Exists
Unlike GUI tools like Wireshark, tcpdump is lightweight, scriptable, and works on headless servers or over SSH sessions. It is often the only packet capture tool available on remote routers, firewalls, or embedded systems. Network engineers use it to:
Verify that packets are being sent/received correctly
Identify protocol errors (e.g., TCP retransmissions, duplicate ACKs)
Troubleshoot connectivity issues (e.g., ARP failures, ICMP unreachables)
Investigate security incidents (e.g., suspicious traffic patterns)
How tcpdump Works Internally
When you run tcpdump -i eth0, the following happens:
1. Interface Selection: tcpdump opens the specified network interface in promiscuous mode by default, allowing it to capture all packets on the network segment, not just those addressed to the host.
2. Buffer Allocation: libpcap allocates a kernel buffer (default size 2 MB on Linux) to store captured packets before they are copied to user space. This prevents packet loss during bursts.
3. Packet Capture: The network interface driver copies each received frame into the kernel buffer. libpcap reads from this buffer in chunks.
4. Filtering: If a BPF filter is specified (e.g., tcp port 80), each packet is evaluated against the filter. Only matching packets are passed to the user space.
5. Timestamping: Each captured packet is timestamped with microsecond resolution (or nanosecond on newer systems) using the system clock.
6. Output Formatting: tcpdump formats the packet headers according to the protocol (Ethernet, IP, TCP, UDP, etc.) and prints them to stdout or writes raw packets to a file.
Key Components and Defaults
Interface: -i any captures from all interfaces; -i eth0 captures from a specific interface.
Promiscuous Mode: Enabled by default; disable with -p.
Packet Count: -c 10 stops after capturing 10 packets.
Verbosity: -v, -vv, -vvv increase verbosity (more protocol details).
Timestamp: -tttt prints human-readable timestamps with date; -tt prints Unix epoch.
Output File: -w file.pcap writes raw packets to a pcap file (binary).
Read File: -r file.pcap reads packets from a pcap file.
No Resolution: -n suppresses DNS resolution; -nn suppresses protocol and port name resolution.
Buffer Size: -B 4096 sets the kernel buffer size to 4096 KB (4 MB).
Berkeley Packet Filter (BPF) Expressions
BPF is the filtering language used by tcpdump. Filters are composed of primitives combined with and, or, not. Common primitives:
- host 192.168.1.1 – match packets with that IP as source or destination.
- src 10.0.0.1 – match packets with that source IP.
- dst port 80 – match packets with destination port 80.
- tcp – match TCP packets.
- udp – match UDP packets.
- icmp – match ICMP packets.
- arp – match ARP packets.
- vlan – match VLAN-tagged packets.
- ether host aa:bb:cc:dd:ee:ff – match packets with that MAC address.
Examples:
- tcpdump -i eth0 host 10.0.0.1 and tcp port 443 – captures HTTPS traffic to/from a specific host.
- tcpdump -i any icmp – captures all ICMP packets (ping).
- tcpdump -i eth0 not arp – excludes ARP traffic.
Common Command Examples
Basic capture: tcpdump -i eth0
Capture with count limit: tcpdump -i eth0 -c 100
Save to file: tcpdump -i eth0 -w capture.pcap
Read from file: tcpdump -r capture.pcap
Filter by port: tcpdump -i eth0 port 22 (SSH)
Filter by protocol and host: tcpdump -i eth0 tcp and host 192.168.1.1
Display hex and ASCII: tcpdump -i eth0 -X (useful for inspecting payload)
Suppress name resolution: tcpdump -i eth0 -nn
Interpreting tcpdump Output
A typical tcpdump output line for a TCP packet looks like:
12:34:56.789012 IP 192.168.1.100.54321 > 10.0.0.1.80: Flags [S], seq 1234567890, win 65535, options [mss 1460], length 0Timestamp: 12:34:56.789012 – time of capture.
Protocol: IP – layer 3 protocol (can be ARP, ICMP, IP6, etc.).
Source/Destination: 192.168.1.100.54321 > 10.0.0.1.80 – source IP.port > destination IP.port.
Flags: [S] – TCP flags: S=SYN, F=FIN, P=PSH, R=RST, .=ACK (e.g., [S.] is SYN-ACK).
Sequence Number: seq 1234567890 – initial sequence number.
Window Size: win 65535 – receiver window size (bytes).
Options: [mss 1460] – TCP options like Maximum Segment Size.
Length: length 0 – payload length (0 for SYN packets).
For UDP:
12:34:56.789012 IP 192.168.1.100.12345 > 10.0.0.1.53: 12345+ A? example.com. (30)12345+ – DNS transaction ID with + indicating recursion desired.
A? example.com. – DNS query type A for example.com.
(30) – UDP payload length.
Interaction with Related Technologies
tcpdump works at the packet level and can capture any protocol that runs over Ethernet, Wi-Fi, or other link layers. It is often used in conjunction with: - Wireshark: for GUI-based analysis of pcap files. - tcpreplay: to replay captured packets. - iptables: to log packets before/after firewall rules. - netstat: to verify listening ports. - ping/traceroute: to generate test traffic for capture.
Performance Considerations
High traffic volumes can cause packet drops if the kernel buffer is too small. Increase buffer with -B or adjust net.core.rmem_default sysctl.
Writing to a file (-w) is more efficient than printing to screen.
Use filters to reduce captured traffic; capturing everything on a busy link may overwhelm the system.
Identify Capture Interface
Determine which network interface to capture on. Use `ip link show` or `ifconfig -a` to list interfaces (e.g., eth0, ens33, wlan0). For capturing all interfaces, use `-i any`. On the exam, you may be given a scenario where you need to capture traffic on a specific VLAN interface (e.g., eth0.10). Remember that tcpdump requires root privileges to capture in promiscuous mode; use `sudo tcpdump` or run as root.
Define Capture Filter
Apply a BPF filter to reduce noise and focus on relevant traffic. Example: `tcpdump -i eth0 host 10.0.0.1 and tcp port 80`. Filters are evaluated in kernel space, so only matching packets are copied to user space. Common filters for troubleshooting: `icmp` for ping issues, `arp` for duplicate IPs, `tcp port 22` for SSH connectivity. On the exam, you might need to select the correct filter to capture specific traffic (e.g., DNS queries: `udp port 53`).
Capture Packets to File
Use `-w capture.pcap` to write raw packets to a pcap file. This is essential for later analysis or for capturing traffic on a busy network where screen output would be too slow. The file can be transferred to a workstation and opened in Wireshark. Use `-C 10` to rotate files after 10 MB or `-G 3600` to rotate every hour. On the exam, you may be asked how to save a capture for offline analysis.
Analyze Capture Output
Read the capture file with `tcpdump -r capture.pcap -nn` to display packets without name resolution. Look for anomalies: TCP retransmissions (same sequence number with different timestamps), duplicate ACKs, ARP requests with no replies, or ICMP unreachables. Use `-v` for verbose output showing TTL, tos, and checksums. On the exam, you may be shown a tcpdump output and asked to identify the problem (e.g., a SYN flood, a misconfigured firewall blocking SYN-ACKs).
Interpret Specific Packets
Focus on packet flags and fields. For TCP: SYN (S) indicates connection initiation; SYN-ACK ([S.]) indicates server acceptance; RST (R) indicates connection reset. For ARP: 'ARP, Request who-has 192.168.1.1 tell 192.168.1.100' indicates a host looking for a MAC address. A missing ARP reply suggests the target is unreachable or the IP is unused. On the exam, you may need to determine if a TCP handshake completed or if a firewall is dropping packets (e.g., SYN sent but no SYN-ACK received).
Scenario 1: Troubleshooting Web Server Latency
A web application is experiencing slow page loads. The network engineer runs tcpdump on the web server to capture HTTP traffic:
sudo tcpdump -i eth0 -nn -c 1000 port 80 -w http_capture.pcapAfter analyzing the capture in Wireshark, they notice many TCP retransmissions and duplicate ACKs, indicating packet loss. Further investigation reveals a misconfigured switch port with speed/duplex mismatch. The engineer resolves it by setting both ends to auto-negotiation. In production, tcpdump is often the first tool used to confirm whether the problem is network-related (packet loss) or application-related (slow server response).
Scenario 2: Detecting ARP Spoofing
A security analyst suspects a man-in-the-middle attack on the local network. They capture ARP traffic on an access switch:
sudo tcpdump -i eth0 -nn arp -eThe -e flag prints MAC addresses. They see two different MAC addresses replying to ARP requests for the same IP (the gateway). This indicates ARP spoofing. The analyst then uses static ARP entries or implements Dynamic ARP Inspection (DAI) on the switch. In enterprise networks, tcpdump is invaluable for identifying layer 2 attacks that bypass higher-layer security controls.
Scenario 3: Validating Firewall Rules
After deploying a new firewall rule to block outbound DNS queries to external servers, the network team needs to verify it works. They capture traffic on the internal interface:
sudo tcpdump -i eth0 -nn udp port 53 and not src net 10.0.0.0/8If any packets matching the filter appear, the rule is not blocking correctly. They also confirm that legitimate internal DNS traffic (to internal DNS servers) is still allowed. tcpdump is commonly used for firewall rule validation because it shows exactly which packets are traversing the interface, regardless of what the firewall log claims.
Common Pitfalls
Interface overload: Capturing on a busy interface without a filter can cause packet drops or system slowdown. Always use filters and increase buffer size (-B 4096) in production.
File permissions: tcpdump output files require root to write; use sudo or set group permissions.
Time synchronization: Timestamps are based on the local system clock; if the clock is skewed, packet timing analysis becomes unreliable. Use NTP to synchronize.
What N10-009 Tests
Objective 5.6: 'Given a scenario, use appropriate network troubleshooting tools.' tcpdump falls under the category of 'protocol analyzers.' Exam questions may ask you to:
Choose the correct tcpdump command to capture specific traffic (e.g., HTTP traffic from a specific host).
Interpret a tcpdump output snippet to identify a network issue (e.g., duplicate IP, ARP spoofing, TCP retransmission).
Select the appropriate filter expression for a given scenario.
Understand the difference between capturing live traffic (-i) and reading a file (-r).
Common Wrong Answers and Why
'Use tcpdump -i eth0 port 80 and host 192.168.1.1' without `-nn`: While technically correct, the exam may test if you know that -nn suppresses name resolution to speed up capture and avoid DNS lookups. However, not including it is not necessarily wrong—it just produces more verbose output. The real trap is forgetting -i or using wrong syntax (e.g., and vs &&).
'tcpdump -r capture.pcap -w output.pcap': This reads from a file and writes to another file simultaneously. This is valid but rarely tested. Candidates often think -r and -w are mutually exclusive, but they can be combined to filter an existing capture.
'Capturing on eth0 gives you all traffic on the switch': Promiscuous mode captures all traffic on the network segment, but on a switched network, it only sees broadcast/multicast and traffic destined to or from the host unless port mirroring (SPAN) is configured. The exam may test this nuance.
'tcpdump can decode application-layer protocols like HTTP': tcpdump shows raw payload in hex/ASCII but does not decode application-layer data. For full decoding, use Wireshark or tcpdump with -A (ASCII) or -X (hex+ASCII). The exam expects you to know that tcpdump is a packet capture tool, not a protocol analyzer like Wireshark.
Specific Numbers and Values
Default buffer size: 2 MB (or 4 MB with -B 4096).
Default snapshot length: 262144 bytes (max packet size).
Timestamp resolution: microsecond (default), nanosecond with -j.
BPF filter limit: typically 4096 bytes of filter program.
Edge Cases and Exceptions
VLAN tags: tcpdump by default strips VLAN tags; use -e to show the VLAN header. The exam may ask how to see VLAN IDs in captures.
IPv6: tcpdump filters work with IPv6 addresses (e.g., ip6 instead of ip).
Capture length: Use -s 0 to capture entire packet (default), or -s 64 to capture only headers (reduces file size).
Non-promiscuous mode: -p disables promiscuous mode; useful on wireless interfaces where promiscuous mode may not work.
How to Eliminate Wrong Answers
Identify the exact traffic you need to capture (host, port, protocol).
Check if the command uses -i for interface and -w for file if saving.
Ensure filters are syntactically correct (e.g., host 10.0.0.1 not host=10.0.0.1).
For output interpretation, look for flags: missing SYN-ACK means firewall block; multiple SYN from same host means scanning; ARP who-has with no reply means IP not in use.
Remember that tcpdump does not resolve names unless -n is omitted; if the question shows IPs, it's likely using -nn.
tcpdump is a command-line packet capture tool that uses libpcap and supports BPF filters.
Use -i to specify interface, -w to write pcap file, -r to read pcap file.
Common filters: host, port, tcp, udp, icmp, arp; combine with and/or/not.
Promiscuous mode is default; use -p to disable.
Use -nn to suppress name resolution for faster output.
Output shows timestamps, protocol, source/destination IP:port, flags, sequence numbers.
TCP flags: S (SYN), S. (SYN-ACK), R (RST), F (FIN), P (PSH), . (ACK).
tcpdump does not decode application-layer protocols; use Wireshark for that.
Capture to file (-w) is more efficient than screen output for busy networks.
On switched networks, tcpdump only sees local traffic unless port mirroring is used.
These come up on the exam all the time. Here's how to tell them apart.
tcpdump
Command-line tool, lightweight, works over SSH
Uses libpcap for capture
Output is text-based packet headers
Filters are BPF expressions
Best for quick troubleshooting and scripting
Wireshark
GUI tool, requires display or X11 forwarding
Uses libpcap or WinPcap for capture
Provides graphical packet dissection and color coding
Filters use display filter syntax (e.g., http.request)
Best for deep protocol analysis and forensics
Mistake
tcpdump can only capture packets on the local machine.
Correct
tcpdump captures packets visible to the network interface. On a switched network, it only sees broadcast, multicast, and traffic to/from the host unless port mirroring is configured. On a hub or with wireless monitor mode, it can capture all traffic on the segment.
Mistake
tcpdump -i any captures all traffic on all interfaces, including loopback.
Correct
Yes, `-i any` captures from all interfaces, including loopback. However, it does not capture on virtual interfaces like VLAN subinterfaces separately; they are included via the physical interface.
Mistake
The -w option writes human-readable output to a file.
Correct
`-w` writes binary pcap format, not text. To save human-readable output, redirect stdout: `tcpdump -i eth0 > output.txt` (but this loses packet structure). For text with timestamps, use `-w` and later `-r` with `-v`.
Mistake
tcpdump filters are case-sensitive.
Correct
BPF keywords (host, port, tcp, etc.) are case-insensitive. However, protocol names like 'icmp' must be lowercase in some versions. It's safest to use lowercase.
Mistake
tcpdump can analyze HTTP request and response content.
Correct
tcpdump displays raw payload in hex/ASCII but does not parse HTTP headers or bodies. For application-layer analysis, use Wireshark or tcpdump with `-A` to show ASCII payload, but it still won't decode the protocol.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the port filter: `tcpdump -i eth0 port 80`. To capture both source and destination port, just use `port 80`. If you need only one direction, use `src port 80` or `dst port 80`. For multiple ports, use `port 80 or port 443`. Remember to use `-nn` to avoid DNS lookups.
Use `tcpdump -r file.pcap`. You can apply filters just like live capture: `tcpdump -r file.pcap host 10.0.0.1`. Add `-nn` for no name resolution, `-v` for verbose, or `-X` for hex and ASCII output.
Flags [S.] indicates a TCP SYN-ACK packet, which is the second step of the three-way handshake. The 'S' stands for SYN, and the '.' stands for ACK. This means the server is acknowledging the client's SYN and sending its own SYN.
Use a combined filter: `tcpdump -i eth0 host 192.168.1.100 and tcp port 80`. This captures packets where the source or destination IP is 192.168.1.100 and the port is 80 (HTTP). For only source or destination, use `src host` or `dst host`.
Common reasons: (1) You don't have root privileges – run with sudo. (2) The interface is down – check with `ip link`. (3) The filter is too restrictive – try without filter. (4) You are on a switched network and only see local traffic – use port mirroring. (5) The interface is not in promiscuous mode – add `-p` to check.
tcpdump does not have a direct filter for TCP flags, but you can use the 'tcp[tcpflags]' expression. For example, to capture only SYN packets: `tcpdump 'tcp[tcpflags] & tcp-syn != 0'`. To capture RST packets: `tcpdump 'tcp[tcpflags] & tcp-rst != 0'`.
`-w` writes captured packets to a file in pcap format (binary). `-r` reads packets from a pcap file and displays them. You can combine them: `tcpdump -r in.pcap -w out.pcap` to filter an existing capture.
You've just covered tcpdump Packet Analysis — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?