How to use tcpdump to do a packet capture


Article ID: 160514


Updated On:


Data Loss Prevention Network Monitor Data Loss Prevention Enforce Data Loss Prevention Network Protect


How to use tcpdump to perform a packet capture on a Linux system.


To use tcpdump to make a packet capture you need the following:

  1. Which interface (eth1, eth2, etc) to capture traffic from.
  2. A userid that can access the interface (usually root).
  3. A temporary directory to store the packet captures (usually /tmp)

As the userid with access to the device (root), cd to the temporary directory and make a sub directory.

# cd /tmp
# mkdir pc
# cd pc

To make a one minute capture of eth1 start the capture with the following command:

# tcpdump -n -nn -N -s 0 -i eth1 -w eth1.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

After one minute has elapsed, type control-c to end the capture.  You should see something like the following.

5 packets captured
5 packets received by filter
0 packets dropped by kernel

The file eth1.pcap is the packet capture.

As an alternative, you can run the following command line as user root which will stop automatically after 60 seconds.

# mkdir –p /tmp/cd ; tcpdump -n -nn -N -s 0 -i eth1 -w /tmp/cd/eth1.pcap & pid=$! ; sleep 60 ; kill -1 $pid

The command options are fully explained in the man page.  The options above are:

-n - do not attempt to lookup IP addresses into domain names

-nn - do not convert protocol and port numbers to names

-N - do not attempt to qualify host names

-s 0 - capture the entire packet

-i - the interface to use

-w - write raw data into the file



NOTE: If TCPDUMP is used w/o the correct switches, packets will be truncated.  The  "-s 0" captures the entire packet.


Result of not using -s 0 option = "Packet size limited during capture" and HTTP truncated