Packet Capture Command Cookbook

List capture interfaces before starting a packet capture.

sudo tcpdump -D

Use the interface name with -i, such as eth0, ens5, en0, or any.

Watch DNS queries and replies on UDP or TCP port 53.

sudo tcpdump -i any -nn -vv 'port 53'

-nn avoids DNS and service-name lookups so tcpdump does not create extra resolver traffic.

Save packets for later analysis in Wireshark or tshark.

sudo tcpdump -i eth0 -nn -s 0 -w capture.pcap 'host 192.0.2.10'

-s 0 captures the full packet instead of truncating after a small snap length.

Print packets from a capture file without touching the network.

tcpdump -nn -r capture.pcap

Add -tttt for readable timestamps or -X to include hex and ASCII payload output.

Capture cleartext HTTP traffic and print payload bytes.

sudo tcpdump -i any -nn -A -s 0 'tcp port 80'

This is only useful for unencrypted HTTP. HTTPS payload is encrypted.

Capture TCP 443 traffic for handshake timing, resets, and retransmits.

sudo tcpdump -i any -nn -tttt 'tcp port 443'

tcpdump cannot decrypt TLS by itself, but it can reveal connection setup and packet loss patterns.

Capture all packets to or from a single IP address.

sudo tcpdump -i any -nn 'host 203.0.113.42'

Use src host or dst host when you only need one traffic direction.

Limit capture to a client/server pair and a single service port.

sudo tcpdump -i any -nn 'host 203.0.113.42 and tcp port 443'

This filter is a practical starting point for latency, reset, and retransmission debugging.

Find SYN, FIN, RST, and ACK behavior without dumping payload.

sudo tcpdump -i any -nn -tttt 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'

Useful when checking refused connections, resets, and handshake failures.

Watch echo requests, echo replies, unreachable messages, and TTL errors.

sudo tcpdump -i any -nn 'icmp or icmp6'

ICMP is often the quickest way to spot reachability and MTU-related symptoms.

Capture ARP requests and replies on a local Ethernet segment.

sudo tcpdump -i eth0 -nn -e 'arp'

-e prints link-layer headers, including source and destination MAC addresses.

Watch DHCP discover, offer, request, and ack messages.

sudo tcpdump -i any -nn -vv 'udp port 67 or udp port 68'

Run this before renewing a lease so you see the full exchange.

Keep a rolling capture without filling the disk with one huge file.

sudo tcpdump -i eth0 -nn -s 0 -G 300 -W 12 -w 'capture-%Y%m%d-%H%M%S.pcap'

-G rotates every 300 seconds and -W keeps a limited number of files.

Capture packets with Wireshark's capture engine and write pcapng output.

sudo dumpcap -i eth0 -s 0 -f 'host 192.0.2.10' -w capture.pcapng

dumpcap is usually better than the Wireshark GUI for long-running captures.

Read packets with Wireshark dissectors from the command line.

tshark -r capture.pcapng -Y 'dns or tcp.analysis.retransmission'

-Y is a Wireshark display filter. It is different from tcpdump capture filters.

Print structured columns for quick shell-friendly analysis.

tshark -r capture.pcapng -T fields -e frame.time -e ip.src -e ip.dst -e tcp.stream

Add more -e fields to build quick reports from a pcap.

Use Wireshark extcap input for UDP payloads sent to a local port.

udpdump --port 5555 --fifo /tmp/udpdump.pcap

udpdump is an extcap helper. It is most useful when integrated with Wireshark or extcap workflows.

Reduce payload exposure by limiting snap length.

sudo tcpdump -i eth0 -nn -s 96 -w headers-only.pcap

A smaller snap length can still expose metadata. Treat captures as sensitive data.