tcpdump Commands
Packet capture and analysis tool for TLS debugging, certificate inspection, and network troubleshooting
Basic Packet Capture
Capture all traffic on default interface
sudo tcpdumpCaptures all packets on the default network interface. Requires root/sudo privileges.
Capture on specific interface
sudo tcpdump -i eth0Capture packets on specific network interface. Use -i any to capture on all interfaces.
Capture specific number of packets
sudo tcpdump -c 100Capture 100 packets and then stop. Useful for quick samples without manual interruption.
Save capture to file
sudo tcpdump -w capture.pcapSave packets to file for later analysis with tcpdump or Wireshark. PCAP format is standard.
Read from capture file
tcpdump -r capture.pcapAnalyze previously captured packets. Reading files does not require root privileges.
Rotating capture files by time
sudo tcpdump -i any port 443 -w tls_%Y%m%d_%H%M%S.pcap -G 3600 -W 24Rotate capture files every hour (-G 3600) and keep at most 24 files (-W 24). The filename supports strftime format specifiers. Essential for long-running production captures.
Rotating capture files by size
sudo tcpdump -i any port 443 -w tls_capture.pcap -C 100 -W 10Rotate files at 100 MB each (-C 100) and keep at most 10 files (-W 10). Files are named tls_capture.pcap0, tls_capture.pcap1, etc.
HTTPS and TLS Traffic
Capture HTTPS traffic (port 443)
sudo tcpdump -i any port 443Capture all HTTPS traffic on port 443. Essential for debugging TLS connections and certificate issues.
Capture all common TLS ports
sudo tcpdump -i any 'port 443 or port 465 or port 636 or port 993 or port 995 or port 8443'Capture traffic across common TLS-enabled ports: HTTPS (443), SMTPS (465), LDAPS (636), IMAPS (993), POP3S (995), and alternate HTTPS (8443).
Capture TLS handshake with hex dump
sudo tcpdump -i any port 443 -XShow packet contents in hex and ASCII. Useful for examining TLS handshake messages and certificate data in raw form.
Filter for TLS handshake records
sudo tcpdump -i any 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)'BPF filter matching TLS handshake record type (0x16) at the start of the TCP payload. Captures Client Hello, Server Hello, Certificate, and other handshake messages.
Filter for TLS Client Hello specifically
sudo tcpdump -i any 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01)'Matches only TLS Client Hello messages (handshake type 0x01 within record type 0x16). Filters out Server Hello and other handshake messages.
Filter for TLS alert records
sudo tcpdump -i any 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x15)'Capture TLS alert records (type 0x15) that indicate errors such as certificate_expired, unknown_ca, handshake_failure, or bad_certificate. Critical for diagnosing TLS failures.
Capture STARTTLS traffic
sudo tcpdump -i any 'port 25 or port 587 or port 143 or port 110' -w starttls.pcap -s 0Capture traffic on STARTTLS-capable ports: SMTP (25), SMTP submission (587), IMAP (143), POP3 (110). These connections begin unencrypted then upgrade to TLS.
Capture traffic to specific host
sudo tcpdump -i any host example.com and port 443Capture HTTPS traffic to specific domain. Useful for isolating connection issues to a particular server.
Capture with verbose output and timestamps
sudo tcpdump -i any port 443 -vvv -ttttTriple verbose (-vvv) with full timestamps (-tttt). Shows detailed protocol information and timing.
DNS Traffic
Capture DNS queries and responses
sudo tcpdump -i any port 53Capture DNS traffic on port 53. Shows domain lookups before certificate validation.
Capture DNS with query details
sudo tcpdump -i any port 53 -vvVerbose DNS output showing query types, response codes, and record details.
Capture DNS queries only (no responses)
sudo tcpdump -i any 'udp port 53 and udp[10] & 0x80 = 0'Filter for DNS queries only by checking QR bit. Useful for monitoring lookup patterns.
Capture DNS-over-TLS traffic
sudo tcpdump -i any port 853 -w dot_traffic.pcapCapture DNS-over-TLS (DoT) traffic on port 853. Useful for verifying encrypted DNS resolver connectivity and certificate validation.
Filtering by Host and Network
Capture traffic from specific IP
sudo tcpdump -i any src 192.168.1.100Capture packets originating from specific IP address. Use dst for destination filtering.
Capture traffic between two hosts
sudo tcpdump -i any host 192.168.1.100 and host 192.168.1.200Capture bidirectional traffic between two specific hosts. Useful for client-server debugging.
Capture traffic from network range
sudo tcpdump -i any net 192.168.1.0/24Capture traffic from entire subnet using CIDR notation. Monitor traffic patterns across network segment.
Exclude traffic from specific host
sudo tcpdump -i any not host 192.168.1.1Exclude packets from specific IP. Useful for filtering out gateway or monitoring system traffic.
Protocol and Port Filtering
Capture TCP traffic only
sudo tcpdump -i any tcpFilter for TCP protocol only. Most HTTPS and application traffic uses TCP.
Capture multiple ports
sudo tcpdump -i any 'port 80 or port 443'Capture both HTTP and HTTPS traffic. Use quotes for complex expressions.
Capture port range
sudo tcpdump -i any portrange 8000-9000Capture traffic on range of ports. Useful for monitoring multiple services or dynamic port allocations.
Capture TCP SYN packets (connection attempts)
sudo tcpdump -i any 'tcp[tcpflags] & tcp-syn != 0'Show new connection attempts. Useful for monitoring connection patterns and potential attacks.
Capture TCP RST packets (connection resets)
sudo tcpdump -i any 'tcp[tcpflags] & tcp-rst != 0' and port 443Show connection resets on HTTPS port. Indicates rejected connections, often due to TLS handshake failures or firewall rules.
Output Formatting and Display
Do not resolve hostnames
sudo tcpdump -i any -n port 443Show IP addresses instead of hostnames. Faster and prevents DNS lookup delays in output.
Do not resolve ports and protocols
sudo tcpdump -i any -nn port 443Show port numbers instead of service names. Combined with -n for maximum performance.
Show packet contents in hex and ASCII
sudo tcpdump -i any port 443 -XXShow full packet including Ethernet headers in hex and ASCII. Use -X to exclude Ethernet headers.
Show ASCII only
sudo tcpdump -i any port 80 -AShow packet data in ASCII only. Useful for reading HTTP headers and plaintext content.
Increase snapshot length
sudo tcpdump -i any port 443 -s 0Capture full packet (snaplen 0 = unlimited). Default is 262144 bytes, but TLS certificate chains can be large.
Show absolute sequence numbers
sudo tcpdump -i any port 443 -SPrint absolute TCP sequence numbers instead of relative ones. Helpful when correlating with other capture tools.
TLS Debugging Scenarios
Capture complete TLS handshake
sudo tcpdump -i any port 443 -w tls_handshake.pcap -s 0Capture full handshake to file for detailed analysis with Wireshark or tshark. Shows certificate exchange, cipher negotiation, and TLS version.
Monitor certificate-related traffic
sudo tcpdump -i any 'port 80 or port 443 or port 8080' -w cert_traffic.pcapCapture HTTP, HTTPS, and alternate ports. Monitor ACME challenges and certificate validation traffic.
Debug SNI (Server Name Indication)
# Capture handshakes and look for the hostname in ASCII output
sudo tcpdump -i any port 443 -A -s 0 -c 20 | grep -B 2 "example.com"
# For reliable SNI decoding, capture to file and use tshark:
sudo tcpdump -i any port 443 -w sni_debug.pcap -s 0 -c 50The SNI hostname appears as readable ASCII within the Client Hello extension. For structured analysis, save to pcap and decode with tshark or Wireshark.
Capture OCSP traffic
sudo tcpdump -i any port 80 -A -s 0 -w ocsp.pcapCapture OCSP requests and responses (typically sent over HTTP on port 80). Monitor certificate revocation checking and OCSP stapling.
Capture CRL download traffic
sudo tcpdump -i any port 80 -A -s 0 | grep -i "\.crl"Monitor Certificate Revocation List downloads. CRL files are fetched over HTTP and the URL path typically ends in .crl.
Monitor mutual TLS (mTLS) traffic
# Capture full handshake - mTLS includes CertificateRequest and client Certificate
sudo tcpdump -i any port 443 -w mtls_debug.pcap -s 0 -c 200Capture mTLS handshakes where both client and server present certificates. Analyze the pcap with tshark or Wireshark to verify the CertificateRequest and client Certificate messages.
Advanced BPF Filtering
Combine multiple conditions with AND
sudo tcpdump -i any host example.com and port 443 and tcpUse AND to require all conditions. Precise filtering for specific scenarios.
Combine conditions with OR
sudo tcpdump -i any '(host example.com or host test.com) and port 443'Use OR for alternative conditions. Quotes required for complex expressions with parentheses.
Filter by packet size
sudo tcpdump -i any 'greater 1000 and port 443'Capture large HTTPS packets (over 1000 bytes). TLS Certificate messages carrying the full chain are typically large. Use less for small packets.
Apply BPF filter when reading pcap files
tcpdump -r capture.pcap 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)'Apply BPF filters when reading pcap files. Isolate TLS handshake packets from a larger capture for focused analysis.
Capture IPv6 HTTPS traffic
sudo tcpdump -i any ip6 and port 443Filter for IPv6 HTTPS packets. Important for dual-stack environments where certificate issues may differ by protocol family.
Exclude SSH traffic during remote capture
sudo tcpdump -i any port 443 and not port 22Exclude your SSH session when running tcpdump on a remote server. Prevents capturing your own management traffic.
Practical Examples
Debug certificate validation failure
# Capture TLS handshake with full packets
sudo tcpdump -i any host api.example.com and port 443 -w tls_debug.pcap -s 0
# Analyze: look for TLS alerts or incomplete handshakes
tcpdump -r tls_debug.pcap -XX | lessCapture complete handshake to identify certificate chain issues, missing intermediates, or cipher mismatches. TLS alert records (type 0x15) indicate the specific failure reason.
Monitor Let's Encrypt ACME challenges
sudo tcpdump -i any 'port 80 or port 443' -A -s 0 | grep -E "(acme|well-known|letsencrypt)"Debug certbot or ACME client issues by filtering for ACME-related URLs in HTTP traffic.
Analyze connection timing issues
sudo tcpdump -i any port 443 -tttt -nnFull timestamps with numeric addresses help identify latency in the TCP handshake and TLS negotiation phases.
Capture only packet headers for high-traffic servers
sudo tcpdump -i any port 443 -s 128 -w headers_only.pcapCapture only the first 128 bytes of each packet to reduce file size on busy servers. Enough to see TCP/TLS record headers but not full certificate data.
See Also
Important Notes
Requires Root Privileges
Packet capture requires root/sudo on most systems. Reading PCAP files does not require elevated privileges.
TLS Encryption
tcpdump shows encrypted TLS application data as raw bytes. You can see handshake metadata (SNI, cipher suites, certificate subjects in the Certificate message) but not encrypted payloads. For full decryption, use Wireshark with SSLKEYLOGFILE or server private keys.
Performance Impact
Packet capture consumes CPU and memory. Use targeted BPF filters and -s (snaplen) to minimize overhead on production systems. Writing to disk with -w is more efficient than printing to terminal.
Privacy and Legal
Packet captures may contain sensitive data. Ensure proper authorization before capturing traffic, especially on shared networks.
Use with Wireshark or tshark
For TLS analysis, save captures to PCAP files (-w) and open in Wireshark for GUI-based inspection or use tshark for command-line protocol decoding with structured output of certificate details, cipher suites, and handshake messages.
Buffer Size
Use -B option to increase the kernel buffer size (in KiB) for high-traffic environments to prevent packet loss during capture.