Using tcpdump on Linux for Network Packet Capture: Commands and Tips

In Linux, network packet capture is typically performed with tools like tcpdump or Wireshark, which can intercept packets traversing a network interface to help analyze traffic, diagnose network problems, or conduct security audits.

Common tcpdump commands include:

Capture all traffic on a specific interface: sudo tcpdump -i eth0

Capture only traffic destined for a particular IP address: sudo tcpdump -i eth0 src <IP address>

Capture traffic on a specific port: sudo tcpdump -i eth0 port <port number> (e.g., sudo tcpdump -i eth0 'tcp port 80' )

Write captured packets to a file: sudo tcpdump -i eth0 -w bank.pcap

Read a saved pcap file: sudo tcpdump -r bank.pcap

Advanced filter examples: tcpdump '(src 192.168.240.26 and dst 192.168.240.8 ) or arp' -i eth0 -n , tcpdump src host 192.168.240.26 -i eth0 -n -c 10 , tcpdump dst host 192.168.240.8 -i eth0 -n -c 10 , tcpdump port 22 -i eth0 -n -c 5

Precautions:

Network capture may involve privacy and security issues; ensure you have proper authorization.

Root privileges are often required to capture packets.

Capturing large volumes of data can consume significant disk space; set appropriate limits.

tcpdump supports complex filter expressions, which can be studied further for specialized capture needs.

Images illustrating command output are included below: