tcpdump — Install, Use, Optimise (2026)

Command-line packet capture — universally available, scriptable, and fast enough for 10Gbps interfaces.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install tcpdump

macOS (built-in)

tcpdump --version

Alpine / minimal

apk add tcpdump

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Capture HTTP traffic to file

sudo tcpdump -i eth0 -w out.pcap port 80

Read pcap with -nn (no DNS/port resolution)

tcpdump -nn -r out.pcap

Capture between two hosts

sudo tcpdump -i eth0 -w out.pcap host 1.2.3.4 and host 5.6.7.8

Rotate captures hourly, keep 24

sudo tcpdump -i eth0 -G 3600 -W 24 -w cap_%H.pcap

Filter to single TCP flag (SYN scans)

sudo tcpdump -i eth0 "tcp[tcpflags] == tcp-syn"

Print payload as ASCII

sudo tcpdump -i eth0 -A port 80

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• -s 0 captures full packets (default in modern tcpdump). -s 96 captures only headers — 10× smaller pcaps.
• -B 4096 sets kernel buffer KB — bump for high-rate captures to avoid drops.
• --immediate-mode reduces capture latency at expense of throughput.
• BPF filters compile to kernel — vastly faster than userland filtering. Always filter at capture time on production interfaces.
• For 10Gbps+: use AF_PACKET v3 ring buffer (--no-promiscuous-mode if span port already gives traffic) or move to dpdkcap.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Privilege: needs root or CAP_NET_RAW. Avoid making it suid.
• Default snaplen across distros varies — always set -s explicitly for reproducibility.
• Pcap files balloon. -G TIME -W COUNT rotation is mandatory in production.
• On encrypted traffic (TLS, WireGuard) you see only ciphertext. Wireshark + SSLKEYLOG can decrypt; tcpdump itself cannot.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• tshark — Wireshark CLI; richer dissection, slower.
• ngrep — grep over network traffic.
• termshark — TUI Wireshark.

India context and engagement notes

tcpdump is the universal network capture tool — present on every Linux box, every router, every IoT device with a shell. For DPDP breach forensics, grab pcaps from the firewall first (logs are derived; pcap is primary).

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.