Sniffing Packet Using tcpdump in Linux

The process of monitoring all these data packets passing through the network is called sniffing. Network administrators commonly use sniffers to troubleshoot and monitor network traffic. The attackers use these sniffers to capture and monitor data packets to steal sensitive user account information, such as passwords, username, and location.

Network packets are the basic data unit grouped and transferred over packet-switched networks, computer networks such as the Internet.

You can also monitor and intercept traffic on the network by using software that captures all the data packets passing through the network interface. You can do the same using hardware tools as well because sniffers are available as both software and hardware. In this guide, we will see how to process sniffing packets using the tcpdump in Linux.

Sniffing Packet Using tcpdump in Linux

Tcpdump is a packet analysis, and sniffing tool Linux system administrators use to troubleshoot connectivity issues. Sometimes, you can use this tool for security purposes. This tool mainly analyzes, filters, and captures network traffic like IP/TCP packets going through your system.

It collects the captured information in a .pcap file extension, which you can open only with the help of a command tool or Wireshark. The tcpdump comes as the pre-installed utility in various Linux distros. However, you can install it through the following command −

sudo apt install tcpdump (for Ubuntu/Debian-based distros)
yum install tcpdump (for RedHat-based Linux distros)
sudo pacman -S tcpdump (for Arch Linux)

You can also get brief information about the tcpdump command from its help page −

~$: tcpdump --h

Let's now see some examples of different options you can try in tcpdump to capture the network packets.

Displaying all the Available Network Interfaces

Using the -D option with the tcpdump command will list your system's available network interfaces.

~$: sudo tcpdump -D
[sudo] password for prateek: 
1.enp0s3 [Up, Running, Connected] 
2.any (Pseudo-device that captures on all interfaces) [Up, Running] 
3.lo [Up, Running, Loopback] 
4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless] 
5.nflog (Linux netfilter log (NFLOG) interface) [none] 
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 
7.dbus-system (D-Bus system bus) [none] 
8.dbus-session D-Bus session bus none

From the above output, you can see the status of each network interface. Tcpdump creates a pseudo-device named 'any' rather than the actual network interface. Hence, by listening to this pseudo-device, the tool captures packets passing through all interfaces.

Sniff Network Interface

You can capture the current network interfaces using the below command −

~$: sudo tcpdump

Sniffing Packets Using Various Options of tcpdump

You can capture the network interfaces in many different ways and different formats, a list of which is as follows −

  • If you want to capture a packet from the specific network interface, please use the -i option −

~$: sudo tcpdump -i <network_interface> 
  • Similarly, use the -c option with the tcpdump command to capture a specific number of packets

~$: sudo tcpdump -c <number of packets> -i <network_interface> 

For instance, let's capture 2 packets from the 'lo' interface through the tcpdump command −

~$: sudo tcpdump -c 2 -i lo 
  • After the interface name, you can only capture the tcp packets using 'tcp.'

~$: sudo tcpdump -i <network_interface> tcp

Let's capture the tcp packets of 'lo' networks −

~$: sudo tcpdump -i lo tcp
  • The -XX flag with the tcpdump command prints the values in HEX and ASCII formats.

~$: sudo tcpdump -XX -i <network_interface>
  • Add- A with the command to print the packets only in ASCII format.

~$: sudo tcpdump -A -i <network_interface>

Show Timestamp Information

Tcpdump adds a timestamp to the first column on each packet dump output to indicate when the packet was captured. With this command, you can use the -t flag to support the formatting of the timestamp output.

~$: sudo tcpdump -t

When using the above command, it does not print any timestamp information.

  • You can also print the timestamp in the epoch time. In computing, it is the time and date relative to which the computer's timestamp and clock determine the value. January 1, 1970, at 00:00:00 UTC, is called the Unix epoch.

    These epochs are used for ease of calculation as a single number to maintain a time reference. Using the -tt option command, you can print the timestamp in the epoch time −

~$: sudo tcpdump -tt
  • You can also print the output of the timestamp in delta time format. Delta time is the time taken to complete the last frame. You can print the output in delta time using the -ttt flag with the tcpdump command.

~$: sudo tcpdump -ttt
  • Use the -tttt flag to print the timestamp with the date

~$: sudo tcpdump -tttt

Capture IP Address Packets on Specific Interface

You can add the -u option with the command to display the IP address packets on the specific interfaces as follows −

~$: sudo tcpdump -n -i <network_interface>

For example, we capture the IP address packets on the 'lo' network.

~$: sudo tcpdump -n -i lo

Capture and Save the Packets to a File

You can save IP/TCP packets and analyze them in the future. With the tcpdump command, you can save these packets to files using the -w option. Remember that the extension of these files should always be .pcap which stands for Packet Capture.

~$: sudo tcpdump -w <file_name.pcap> -i <network_interface>

In this case, we have saved the 'enp0s3' interface packets in the 'prateek.pcap' named file. (~$: sudo tcpdump -w <file_name.pcap> -i <network_interface>)

~$: sudo tcpdump -w prateek.pcap -i enp0s3
[sudo] password for prateek:
tcpdump: listening on ep0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes

Moreover, you can limit or set the particular size of every file through the -c option −

~$: sudo tcpdump -w prateek.pcap -i enp0s3 -C 3

Here 3 stands for 3MB, i.e., when the 'prateek.pcap' file size reaches 3MB, tcpdump will create more such files for every 3MB increment, like prateek pcap1, prateek.pcap2, and so on.

Read Captured packets from the Saved Files

The files in which we save the captured packets, we can read them using the -r flag as follows.

~$: sudo tcpdump -r <file_name.pcap> -i <network_interface>

In the above example, we have saved the 'prateek.pcap' file. We can read packets from this file using the '-r' option, as follows −

~$: sudo tcpdump -r prateek.pcap -i enp0s3


In this guide, we have seen how to sniff packets using tcpdump in Linux. You can present packets and files using different flags, many examples of which we have given in this guide.

This guide will help you use the tcpdump to capture and analyze TCP/IP packets. Furthermore, if you want to know more about the additional options of the tcpdump command, please use the -h option.

Updated on: 18-May-2023


Kickstart Your Career

Get certified by completing the course

Get Started