tcpdump is the standard command-line packet analyzer for Linux servers — the tool you reach for when curl, ping, and application logs can't tell you whether traffic is even reaching the box. On CentOS it has been a single yum/dnf command for years, but in 2026 both CentOS 7 and CentOS 8 are past end-of-life and their default repositories no longer mirror upstream content. Installing tcpdump (or anything else) on a vanilla CentOS 7/8 box today usually requires pointing the package manager at the CentOS Vault first.
This guide covers the install for both versions, including the repo fixes you will hit on a long-running box, the SELinux / firewalld interactions that occasionally trip people up, and a quick smoke-test capture to prove it works. For the broader usage of tcpdump — filters, recipes, reading captures — see How to install and use tcpdump.
EOL note. CentOS 8 reached EOL on 2021-12-31, and CentOS 7 reached EOL on 2024-06-30. Both are still in production in many environments, but neither receives security updates anymore. For new installs in 2026, AlmaLinux or Rocky Linux are the maintained drop-in replacements —
tcpdumpinstalls the same way (dnf install tcpdump). If you can migrate, do.
CentOS 8 — install tcpdump
CentOS 8 uses dnf as the package manager.
1. Fix the repositories (one-time)
A fresh dnf install on a CentOS 8 box today usually fails with errors like:
Errors during downloading metadata for repository 'appstream':
- Status code: 404 for http://mirror.centos.org/centos/8/AppStream/x86_64/os/repodata/repomd.xml
Error: Failed to download metadata for repo 'appstream'
That is because mirror.centos.org no longer serves CentOS 8. The content lives at vault.centos.org. Repoint the existing repo files:
sudo sed -i 's|mirrorlist=|#mirrorlist=|g' /etc/yum.repos.d/CentOS-*.repo
sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' \
/etc/yum.repos.d/CentOS-*.repo
Confirm metadata downloads cleanly:
sudo dnf clean all
sudo dnf makecache
You only need to do this once per host.
2. Install
sudo dnf install -y tcpdump
3. Verify
tcpdump --version
You should see the tcpdump and libpcap versions printed, for example:
tcpdump version 4.9.3
libpcap version 1.9.1
CentOS 7 — install tcpdump
CentOS 7 uses yum (which is dnf under the hood on RHEL 8+, but on CentOS 7 it's the original yum).
1. Fix the repositories (one-time)
CentOS 7 reached EOL on 2024-06-30 and the mirror.centos.org mirrors for the 7 tree have since been moved to vault.centos.org. The same sed swap as for CentOS 8 applies:
sudo sed -i 's|mirrorlist=|#mirrorlist=|g' /etc/yum.repos.d/CentOS-*.repo
sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' \
/etc/yum.repos.d/CentOS-*.repo
sudo yum clean all
sudo yum makecache
If you have third-party repos (EPEL, Remi, IUS) some of those have also moved or been archived — tcpdump itself is in the base repo, so it does not need EPEL.
2. Install
sudo yum install -y tcpdump
3. Verify
tcpdump --version
which tcpdump
# /usr/sbin/tcpdump
If the binary is in /usr/sbin and your shell can't find it as a non-root user, add /usr/sbin to your PATH or just run it with sudo (which you'll need anyway for live capture).
A 10-second smoke test
tcpdump is installed correctly if you can list interfaces and capture a few packets:
# List interfaces
sudo tcpdump -D
# Capture 5 packets on the primary interface (replace eth0 as needed)
sudo tcpdump -i eth0 -nn -c 5
You should see five decoded packets and a "X packets captured" summary. If you see nothing on a server that you know is receiving traffic, you are probably on the wrong interface — -i any captures on all interfaces:
sudo tcpdump -i any -nn -c 5
Permissions
Packet capture needs raw socket access, which means root (or sudo). For convenience, you can grant the binary the necessary capability so a non-root user can capture without sudo:
sudo setcap cap_net_raw,cap_net_admin=eip $(which tcpdump)
# Verify
getcap $(which tcpdump)
# /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
This is convenient on a developer box but a small attack-surface expansion on a production server — anyone in the local users list can now capture all traffic. Make a deliberate choice.
SELinux notes
CentOS 7 and 8 both ship with SELinux enforcing by default. For day-to-day tcpdump use this does not matter — the binary runs under your shell's confinement and capture works fine. Two cases where SELinux can bite:
- Writing pcap files to a non-standard directory. Writing
-w /var/log/cap.pcapis fine; writing to/root/cap.pcapfrom a non-root context, or to a path under an Apache-served directory, may be blocked by SELinux. Checkjournalctl -t setroubleshootorausearch -m avc -ts recentfor denials and userestorecon -Rv /pathto fix the context. - Running
tcpdumpfrom inside a confined service. If you wraptcpdumpin asystemdunit, the unit's SELinux context may not havecap_net_raw. Either run the unit unconfined (SecurityLabel=system_u:system_r:unconfined_service_t:s0or simply leave SELinux permissive while debugging) or write a small policy module.
SELinux almost never blocks ordinary interactive tcpdump use. If a capture fails with "permission denied" and sudo is involved, the cause is far more often cap_net_raw than SELinux.
firewalld notes
firewalld does not affect packet capture — tcpdump reads packets before the kernel firewall hook (PREROUTING) for incoming traffic and after POSTROUTING for outgoing. That has two practical consequences:
tcpdumpshows you packets the firewall is about to drop. Useful for confirming the firewall is the reason a connection is failing: if you see the SYN intcpdumpbut no SYN/ACK, andfirewall-cmd --list-allshows the port isn't open, that's your answer.tcpdumpdoes not show you whether the firewall has already dropped a packet fromlo/loopback in some unusual configurations. For NAT and DNAT, capture on the interface before the translation: capture oneth0, not on the docker bridge, to see the original source IP.
You do not need to open any firewall ports to run tcpdump itself. You may need to open the port whose traffic you are trying to see if it's currently being blocked.
Common errors and fixes
Failed to download metadata for repo 'BaseOS'/404— repos are pointing at the deadmirror.centos.org. Run thesedswap tovault.centos.orgshown above.No match for argument: tcpdump— metadata wasn't refreshed after the repo fix.sudo dnf clean all && sudo dnf makecache(oryumon CentOS 7).tcpdump: <iface>: You don't have permission to capture on that device— run withsudo, or grantcap_net_raw,cap_net_adminwithsetcapas above.tcpdump: command not foundas non-root — the binary lives in/usr/sbin, which is on root'sPATHbut sometimes not on a regular user's. Use the full path or run withsudo.- No packets at all on what you know is a busy server — wrong interface. Run
sudo tcpdump -Dto list them and try-i any. tcpdumpdecodes everything asUnknown— your snaplen is too small. Add-s 0to capture the full packet.
After install: where to next
tcpdump is one of the smallest learning investments with the biggest operational return — installing it is the easy half. For everyday usage (BPF filters, recipes, reading the output, writing/reading .pcap files), see:
- How to install and use tcpdump — full usage reference (filters, recipes, reading output, rotating captures).
- How to install Wireshark on Windows Server — for opening the
.pcapfiles you capture on the Linux box.
Summary
In 2026, installing tcpdump on CentOS 7 or CentOS 8 is one extra step beyond the default yum/dnf install: repointing the repository configuration at vault.centos.org because both distros are past end-of-life and the standard mirrors no longer carry their packages. Once that one-time fix is done, the install itself is:
- CentOS 8:
sudo dnf install -y tcpdump - CentOS 7:
sudo yum install -y tcpdump
Verify with tcpdump --version, run sudo tcpdump -i any -nn -c 5 as a smoke test, and you're ready to start capturing. For new servers, plan a migration to AlmaLinux 9 or Rocky Linux 9 — tcpdump installs the same way there, and the OS itself is still receiving security updates.