CertTools Logo
CertTools

tcpdump Commands

Packet capture and analysis tool for TLS debugging, certificate inspection, and network troubleshooting

Basic Packet Capture

Capture all traffic on default interface

sudo tcpdump

Captures all packets on the default network interface. Requires root/sudo privileges.

Capture on specific interface

sudo tcpdump -i eth0

Capture packets on specific network interface. Use -i any to capture on all interfaces.

Capture specific number of packets

sudo tcpdump -c 100

Capture 100 packets and then stop. Useful for quick samples without manual interruption.

Save capture to file

sudo tcpdump -w capture.pcap

Save packets to file for later analysis with tcpdump or Wireshark. PCAP format is standard.

Read from capture file

tcpdump -r capture.pcap

Analyze previously captured packets. Reading files doesn't require root privileges.

HTTPS and TLS Traffic

Capture HTTPS traffic (port 443)

sudo tcpdump -i any port 443

Capture all HTTPS traffic on port 443. Essential for debugging TLS connections and certificate issues.

Capture TLS handshake with hex dump

sudo tcpdump -i any port 443 -X

Show packet contents in hex and ASCII. Useful for examining TLS handshake messages and certificates.

Capture TLS Client Hello messages

sudo tcpdump -i any 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)'

Filter for TLS handshake packets (0x16). Shows Client Hello with SNI, cipher suites, and extensions.

Capture traffic to specific host

sudo tcpdump -i any host example.com and port 443

Capture HTTPS traffic to specific domain. Useful for isolating connection issues to particular server.

Capture with verbose output and timestamps

sudo tcpdump -i any port 443 -vvv -tttt

Triple verbose (-vvv) with full timestamps (-tttt). Shows detailed protocol information and timing.

DNS Traffic

Capture DNS queries and responses

sudo tcpdump -i any port 53

Capture DNS traffic on port 53. Shows domain lookups before certificate validation.

Capture DNS with query details

sudo tcpdump -i any port 53 -vv

Verbose DNS output showing query types, response codes, and record details.

Capture DNS queries only (no responses)

sudo tcpdump -i any 'udp port 53 and udp[10] & 0x80 = 0'

Filter for DNS queries only by checking QR bit. Useful for monitoring lookup patterns.

Filtering by Host and Network

Capture traffic from specific IP

sudo tcpdump -i any src 192.168.1.100

Capture packets originating from specific IP address. Use dst for destination filtering.

Capture traffic between two hosts

sudo tcpdump -i any host 192.168.1.100 and host 192.168.1.200

Capture bidirectional traffic between two specific hosts. Useful for client-server debugging.

Capture traffic from network range

sudo tcpdump -i any net 192.168.1.0/24

Capture traffic from entire subnet using CIDR notation. Monitor traffic patterns across network segment.

Exclude traffic from specific host

sudo tcpdump -i any not host 192.168.1.1

Exclude packets from specific IP. Useful for filtering out gateway or monitoring system traffic.

Protocol and Port Filtering

Capture TCP traffic only

sudo tcpdump -i any tcp

Filter for TCP protocol only. Most HTTPS and application traffic uses TCP.

Capture multiple ports

sudo tcpdump -i any 'port 80 or port 443'

Capture both HTTP and HTTPS traffic. Use quotes for complex expressions.

Capture port range

sudo tcpdump -i any portrange 8000-9000

Capture traffic on range of ports. Useful for monitoring multiple services or dynamic port allocations.

Capture TCP SYN packets (connection attempts)

sudo tcpdump -i any 'tcp[tcpflags] & tcp-syn != 0'

Show new connection attempts. Useful for monitoring connection patterns and potential attacks.

Output Formatting and Display

Don't resolve hostnames

sudo tcpdump -i any -n port 443

Show IP addresses instead of hostnames. Faster and prevents DNS lookup delays in output.

Don't resolve ports and protocols

sudo tcpdump -i any -nn port 443

Show port numbers instead of service names. Combined with -n for maximum performance.

Show packet contents in hex and ASCII

sudo tcpdump -i any port 443 -XX

Show full packet including Ethernet headers. Use -X to exclude Ethernet headers.

Show ASCII only

sudo tcpdump -i any port 80 -A

Show packet data in ASCII only. Useful for reading HTTP headers and content.

Increase snapshot length

sudo tcpdump -i any port 443 -s 0

Capture full packet (snaplen 0 = unlimited). Default is 262144 bytes, may truncate large packets.

TLS Debugging Scenarios

Capture complete TLS handshake

sudo tcpdump -i any port 443 -w tls_handshake.pcap -s 0

Capture full handshake to file for detailed analysis with Wireshark. Shows certificate exchange and cipher negotiation.

Monitor certificate-related traffic

sudo tcpdump -i any 'port 80 or port 443 or port 8080' -w cert_traffic.pcap

Capture HTTP, HTTPS, and alternate ports. Monitor ACME challenges and certificate validation.

Debug SNI (Server Name Indication)

sudo tcpdump -i any port 443 -X | grep -A 10 "Client Hello"

Show Client Hello messages with SNI extension. Verify correct hostname is sent in TLS handshake.

Capture OCSP stapling traffic

sudo tcpdump -i any port 80 -w ocsp.pcap

Capture OCSP requests and responses. Monitor certificate revocation checking.

Advanced Filtering

Combine multiple conditions with AND

sudo tcpdump -i any host example.com and port 443 and tcp

Use AND to require all conditions. Precise filtering for specific scenarios.

Combine conditions with OR

sudo tcpdump -i any '(host example.com or host test.com) and port 443'

Use OR for alternative conditions. Quotes required for complex expressions.

Filter by packet size

sudo tcpdump -i any 'greater 1000'

Capture packets larger than 1000 bytes. Use less for small packets.

Capture IPv6 traffic

sudo tcpdump -i any ip6

Filter for IPv6 packets only. Important for dual-stack environments.

Practical Examples

Debug certificate validation failure

# Capture TLS handshake
sudo tcpdump -i any host api.example.com and port 443 -w tls_debug.pcap -s 0

# Analyze with Wireshark or:
tcpdump -r tls_debug.pcap -XX | less

Capture complete handshake to identify certificate chain issues, missing intermediates, or cipher mismatches.

Monitor Let's Encrypt ACME challenges

sudo tcpdump -i any '(port 80 or port 443) and host acme-v02.api.letsencrypt.org' -w acme.pcap

Debug certbot or ACME client issues by capturing validation traffic.

Troubleshoot SNI misconfiguration

sudo tcpdump -i any port 443 -XX -c 10 | grep -i "server.name"

Verify SNI extension is sent with correct hostname in Client Hello.

Analyze connection timing issues

sudo tcpdump -i any port 443 -tttt -vvv

Full timestamps help identify latency issues in TLS handshake or network delays.

See Also

nmap Commands
Port scanning and service detection
netcat Commands
Network connectivity testing
traceroute Commands
Network path analysis

Important Notes

Requires Root Privileges

Packet capture requires root/sudo on most systems. Reading PCAP files doesn't require elevated privileges.

TLS Encryption

tcpdump shows encrypted TLS data by default. For decryption, you need private keys and Wireshark with SSLKEYLOGFILE.

Performance Impact

Packet capture consumes CPU and memory. Use filters to minimize overhead on production systems.

Privacy and Legal

Packet captures may contain sensitive data. Ensure proper authorization before capturing traffic, especially on shared networks.

Use with Wireshark

For complex analysis, save captures to PCAP files and open in Wireshark for GUI-based packet inspection and filtering.

Buffer Size

Use -B option to increase buffer size for high-traffic environments to prevent packet loss during capture.