How to Use tcpdump and tshark for Packet Capture on Linux

tcpdump is a command‑line packet capture tool that may not be installed by default; install it with yum install -y tcpdump and specify the network interface when running.

Adding the -nn option displays numeric IP addresses and ports instead of hostnames and process names; the output shows the timestamp, source IP, destination IP, and packet details, allowing you to see traffic flow.

Use port 22 to capture only packets for a specific port, or not port 22 to exclude a port. You can also filter by a particular IP address.

The -c 20 option limits the capture to a specific number of packets, e.g., 20 packets.

With -w /tmp/1.cap you can write the captured packets to a file; view the file with file (not cat , because it contains binary data). Use tcpdump -r /tmp/1.cap to read and display the saved traffic.

tshark, part of the Wireshark suite, provides similar functionality. After installing the wireshark package, you can run a command such as tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri" to capture HTTP request details on port 80, effectively generating web access logs.