Thiago Teixeira
EN | PT

tcpdump

The Tcpdump Group

Command-line packet capture utility — the Unix sniffing workhorse.

Network Recon & Monitoring Free & Open Source CLI Practiced in lab Linux macOS
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

tcpdump is the Unix CLI packet sniffer. It is small, scriptable, and present on virtually every Linux box. Analysts use it on jump hosts, firewalls and servers to capture traffic for offline analysis in Wireshark when GUI access is impossible or too heavy.

Important concepts:

  • BPF filters (tcpdump host 1.2.3.4 and port 53) restrict what is captured at the kernel level.
  • -w file.pcap and -r file.pcap are the standard write/read flags.
  • -i any captures on all interfaces; -s 0 captures full packets.
  • Rotating captures (-C size -W count) keep long-running investigations within disk limits.

Use cases

  • Capturing traffic on a remote SSH-only server
  • Long-running rotating captures during incident response
  • Triggered captures fed by a shell script when an alert fires
  • Quickly confirming whether DNS resolution is leaving the host

Example

# Capture full packets for SMB traffic to a suspect host
sudo tcpdump -i any -s 0 -w smb.pcap host 10.10.10.7 and port 445

# Rotate captures into 100 MB files, keep last 10
sudo tcpdump -i eth0 -C 100 -W 10 -w /var/log/cap/cap.pcap