How to Use tcpdump for Network Traffic Analysis on Debian 12 Bookworm

Learn how to use tcpdump for network traffic analysis on a Debian 12 Bookworm system.

by İbrahim Korucuoğlu ( @siberoloji) | Sunday, April 06, 2025

Introduction

Network traffic analysis is a critical skill for system administrators, cybersecurity professionals, and network engineers. It helps diagnose network issues, identify security threats, and optimize performance. One of the most powerful and widely used command-line tools for this purpose is tcpdump.

This article will provide a comprehensive guide on how to use tcpdump for network traffic analysis on a Debian 12 Bookworm system. We will cover installation, basic and advanced usage, filtering options, and practical examples.

Installing tcpdump on Debian 12

Before using tcpdump, you need to ensure that it is installed on your Debian 12 system. To install tcpdump, run the following command:

sudo apt update && sudo apt install tcpdump -y

After the installation, verify that tcpdump is installed correctly by checking its version:

tcpdump --version

This should output version details confirming the successful installation.

Understanding the Basics of tcpdump

The tcpdump command captures packets that are transmitted or received over a network interface. Running tcpdump without any arguments captures packets on the default network interface.

sudo tcpdump

Press Ctrl + C to stop packet capture.

To specify a network interface, use:

sudo tcpdump -i eth0

Replace eth0 with the appropriate interface name (you can list interfaces using ip link show).

To view available network interfaces that tcpdump can capture traffic from, run:

sudo tcpdump -D

Capturing and Saving Network Traffic

Sometimes, you may want to save captured traffic for later analysis. You can achieve this using the -w flag:

sudo tcpdump -i eth0 -w capture.pcap

This stores packets in a file (capture.pcap). You can later analyze the file using tcpdump or a tool like Wireshark:

sudo tcpdump -r capture.pcap

Filtering Traffic with tcpdump

By default, tcpdump captures all packets, which can be overwhelming. You can filter traffic using expressions to focus on specific hosts, protocols, or ports.

Filtering by Host

To capture traffic to or from a specific IP address:

sudo tcpdump -i eth0 host 192.168.1.100

Filtering by Source or Destination

Capture packets from a specific source:
```
sudo tcpdump -i eth0 src 192.168.1.100
```
Capture packets going to a specific destination:
```
sudo tcpdump -i eth0 dst 192.168.1.100
```

Filtering by Port

To capture traffic on a specific port, such as SSH (port 22):

sudo tcpdump -i eth0 port 22

Filtering by Protocol

Capture only TCP packets:

sudo tcpdump -i eth0 tcp

Capture only UDP packets:

sudo tcpdump -i eth0 udp

Capture only ICMP (ping) packets:

sudo tcpdump -i eth0 icmp

Combining Filters

You can combine multiple filters using logical operators:

Capture HTTP traffic from a specific host:

sudo tcpdump -i eth0 host 192.168.1.100 and port 80

Capture packets between two hosts:

sudo tcpdump -i eth0 host 192.168.1.100 and host 192.168.1.200

Capture packets excluding a specific host:

sudo tcpdump -i eth0 not host 192.168.1.100

Displaying Packet Contents

By default, tcpdump displays basic packet information. To see packet contents in readable form:

sudo tcpdump -i eth0 -A

For a hexadecimal and ASCII representation:

sudo tcpdump -i eth0 -X

To get even more detail:

sudo tcpdump -i eth0 -XX

Analyzing Specific Traffic Patterns

Capturing DNS Queries

DNS traffic is an essential part of network analysis. To capture DNS queries:

sudo tcpdump -i eth0 port 53

To filter only DNS queries (excluding responses):

sudo tcpdump -i eth0 port 53 and udp[10] & 0x80 = 0

Capturing HTTP and HTTPS Traffic

To capture HTTP traffic:

sudo tcpdump -i eth0 port 80

For HTTPS (encrypted traffic):

sudo tcpdump -i eth0 port 443

Monitoring SSH Traffic

To capture SSH login attempts:

sudo tcpdump -i eth0 port 22

Advanced Usage

Capturing a Specific Number of Packets

To capture only a fixed number of packets, use the -c option. For example, to capture 10 packets:

sudo tcpdump -i eth0 -c 10

Capturing Traffic with Timestamps

To include timestamps for each packet:

sudo tcpdump -i eth0 -tttt

Capturing Packets of a Certain Size

To capture packets larger than 1000 bytes:

sudo tcpdump -i eth0 greater 1000

Capturing Packets in Promiscuous Mode

By default, tcpdump captures packets directed to or from the host. To capture all packets, including those not addressed to your machine, use:

sudo tcpdump -i eth0 -p

Conclusion

tcpdump is a powerful and flexible tool for analyzing network traffic in Debian 12 Bookworm. Whether you are debugging network issues, monitoring traffic, or conducting security assessments, tcpdump provides deep insights into packet-level network activity. By mastering filtering options and advanced usage, you can efficiently diagnose and analyze network behavior.

For a more user-friendly alternative, consider using tools like Wireshark to complement tcpdump’s raw packet capture capabilities. Happy network monitoring!

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< How to Check Routing Tables and Default Gateway in Debian 12 Bookworm How to Set Up an OpenVPN Client on Debian 12 Bookworm >