How to install and use TCPdump on CentOS 7 / 8

TCPdump is a network analyzer utility that can monitor and log, TCP/IP traffic passing through the network and the device from which it is executed. TCPdump is open-source and it’s freely available under the BSD license. it is a command-line interface application and it can provide information about packets in several formats depending on the arguments used.

Read our latest article about Network Protocols and learn more about TCP/UDP protocols.

How to Install TCPdump on CentOS 7 and 8

if you are using an RHEL operating system there is a good chance that TCPdump is already installed on your system, so first, run the following command (or any TCPdump command) to check if it is already installed:

tcpdump -D

if you get the following output it means that you don’t have TCPdump installed:

-bash: tcpdump: command not found

You can install TCPdump with the command below:

yum install tcpdump

verify the installation by checking the version:

tcpdump --version

Show Interfaces

Before you can monitor and capture anything you need to know how many interfaces you have and what are their names so that you can use them to filter and get the desired results, you can get a list of your systems interfaces with the following command:

tcpdump -D

You should see something like below which lists your interfaces, their status, and a brief explanation of what that interface doing:

1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.bluetooth-monitor (Bluetooth Linux Monitor) [none]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.usbmon0 (Raw USB traffic, all USB buses) [none]
8.usbmon1 (Raw USB traffic, bus number 1)

Capture a specific interface

Using the “-i” argument you can select a specific interface to monitor and capture, for example, start capturing one of your active interfaces with the command below. (we are going to use “eth0” which is my main interface you should replace it with your interface name)

tcpdump -i eth0

It will capture all packets that hit your interface and print them on your screen, you can stop the process with “Ctrl + c”.

You can capture the interface and write them directly to a file with:

tcpdump -i eth0 > test.txt

Add a timeout to capture 20 seconds of your interfaces transactions and write them to a file:

timeout 20s tcpdump -i eth0 > test.txt

Capture a specific number of packets

This argument will determine the number of packets that you want to capture, for example, you can get a record of 200 packets on your “eth0” interface with the following command:

tcpdump -i eth0 -c 200

Capture traffic by IP

One of the most commons filters that you can use with TCPdump is “host”, using this filter you can see packets that are going to or from a specific IP.

for example with this command you can see and capture all transactions of your loopback interface (

tcpdump host

of course, you can combine filters and arguments and get accurate results:

tcpdump -i eth0 -c 200 host

Capture packets by source and destination

Using this filter you can see traffic in one direction, with “src” and “dst”, check the following example below:

tcpdump src
tcpdump -i eth0 -c 200 dst > test.txt

Filter by Network

To capture packets going to or from a particular network or subnet use the “net” option:

tcpdump net
tcpdump -i eth0 net

Capture traffic of a specific port

Use “port” filter to capture traffic on a specific port of your device, this way you can analyze packets of a service that use a specific port of your system:

tcpdump port 80

combine with “src” and “dst” filter:

tcpdump src port 80

Show Traffic of a specific protocol

You may want to look for one particular kind of traffic, you can use “TCP”, “UDP”, or “ICMP” and other options:

tcpdump icmp
tcpdump -i eth0 tcp

Print captured packets in ASCII

If you want to see the results in ASCII, you can use “-A” argument like the following example:

tcpdump -i eth0 -A

Capture and save packets in a readable file

TCPdump has the option to save the results of a capture process to a file and then read them, start capture and write them in file with:

tcpdump -i eth0 -w test.txt

Open the file and read with TCPdump using:

tcpdump -r test.txt

Use Xitoring monitoring solutions on your Linux Server today!

Did you know that you can monitor your servers using a variety of server integrations such as Apache Monitoring, Nginx Monitoring, and MySQL Monitoring on Xitoring?


How can one analyze the data captured by TCPdump to identify potential security threats or network issues?

To analyze data captured by TCPdump, users can employ tools like Wireshark, which provides a graphical interface for examining packet data in depth. Analyzing involves looking for unusual patterns, such as repeated attempts to connect to certain ports (potential scanning or brute force attacks), or large amounts of traffic to or from an unknown IP (possible data exfiltration or DDoS attacks).

Are there any best practices or tips for optimizing TCPdump's performance, especially on high-traffic networks?

For high-traffic networks, using filters to limit captured traffic, reducing the amount of data TCPdump needs to process, is crucial. Capturing only headers instead of full packets, and writing output directly to a file can also reduce overhead. Running TCPdump with nice command adjustments can prioritize other critical system processes.

How does TCPdump compare to other network monitoring tools available for CentOS in terms of features, performance, and ease of use?

TCPdump is a powerful, command-line network analysis tool that excels in capturing and filtering network packets. Compared to graphical tools like Wireshark, it requires less system resources, making it ideal for running on servers. However, for users seeking more intuitive analysis and visualization capabilities, Wireshark might be preferable. Other specialized tools, such as ntopng or Nagios, offer more extensive network monitoring and visualization features but might require additional configuration and resources.

Leave a Reply

Your email address will not be published. Required fields are marked *