Usually, when working on my laptop or desktop, I'll use Wireshark for packet capture. If a GUI isn't available though, such as on the F5 console, tcpdump comes to the rescue. I generally create pcap files with it, then review them in Wireshark. Capture data can be seen on the console in real time though if that isn't an option.


If you have a system with multiple NICs, you can specify which interface to capture traffic.

Option Description
-D List available interfaces on the system.
-i [interface|number] Specify which interface to use. Note the interface name or number can be used.


# List all available interfaces
$ tcpdump -D
1.enp4s0 [Up, Running]
2.enp0s31f6 [Up, Running]

# Specify interface enp4s0
$ tcpdump -i enp4s0

# Specify interface enp4s0 using the number.
$ tcpdump -i 1


Of course on a busy system, there is usually a shedload of traffic, so filtering is usually necessary to reduce the noise.

Filter Description
host ip Capture traffic travelling to or from a specific host
port port Capture traffic travelling to or from a specific port
src Capture traffic from specific source host or port
dst Capture traffic from specific destination host or port

These filters can be combined using conditionals:

  • and
  • or


# Capture all HTTP traffic to & from
$ tcpdump -i enp4s0 host and port 80

# Capture all traffic except port 80
$ tcpdump -i enp4s0 not port 80

# Capture all traffic from to
$ tcpdump -i enp4s0 src host and dst

# Capture all traffic between the two hosts.
$ tcpdump -i enp0s31f6 host and host

There is a fair amount of flexibility in regards to outputting the data. Below are what I most commonly use.

Option Description
-w [filename] Save the output to a binary file in the pcap format.
-n Disable name (host & port) resolution
-s[number] Specify how many bytes of data to capture from each packet.
-s0 Capture the whole packet.


# Capture all packets for host and save to a file, without name resolution.
$  tcpdump -n -s0 host -w hostname.pcap

# Capture all HTTP traffic between two hosts and save to a file.
$ tcpdump -n -s0 host and host and port 80 -w hostname.pcap

For the hardcore

TCPDump is far more capable than what I use it for, for example, this taken from the man page

To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and 
ACK-only packets.  (IPv6 is left as an  exercise  for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - (tcp[12]&0xf0)>>2)) != 0)'


To print all ICMP packets that are not echo requests/replies (i.e., not
ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Offical Doco