How to install and use TCPdump on CentOS 7 and 8

TCPdump is a network analyzer utility that can monitor and log, TCP/IP traffic passing through the network and the device from which it is executed. TCPdump is open-source and it’s freely available under the BSD license. it is a command-line interface application and it can provide information about packets in several formats depending on the arguments used.

Install TCPdump on CentOS 7 and 8

if you are using an RHEL operating system there is a good chance that TCPdump is already installed on your system, so first, run the following command (or any TCPdump command) to check if it is already installed:

tcpdump -D

if you get the following output it means that you don’t have TCPdump installed:

-bash: tcpdump: command not found

You can install TCPdump with the command below:

yum install tcpdump

verify the installation by checking the version:

tcpdump --version

Show Interfaces

Before you can monitor and capture anything you need to know how many interfaces you have and what are their names so that you can use them to filter and get the desired results, you can get a list of your systems interfaces with the following command:

tcpdump -D

You should see something like below which lists your interfaces, their status, and a brief explanation of what that interface doing:


1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.bluetooth-monitor (Bluetooth Linux Monitor) [none]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.usbmon0 (Raw USB traffic, all USB buses) [none]
8.usbmon1 (Raw USB traffic, bus number 1)

Capture a specific interface

Using the “-i” argument you can select a specific interface to monitor and capture, for example, start capturing one of your active interfaces with the command below. (we are going to use “eth0” which is my main interface you should replace it with your interface name)

tcpdump -i eth0

It will capture all packets that hit your interface and print them on your screen, you can stop the process with “Ctrl + c”.

You can capture the interface and write them directly to a file with:

tcpdump -i eth0 > test.txt

Add a timeout to capture 20 seconds of your interfaces transactions and write them to a file:

timeout 20s tcpdump -i eth0 > test.txt

Capture a specific number of packets

This argument will determine the number of packets that you want to capture, for example, you can get a record of 200 packets on your “eth0” interface with the following command:

tcpdump -i eth0 -c 200

Capture traffic by IP

One of the most commons filters that you can use with TCPdump is “host”, using this filter you can see packets that are going to or from a specific IP.

for example with this command you can see and capture all transactions of your loopback interface (127.0.0.1):

tcpdump host 127.0.0.1

of course, you can combine filters and arguments and get accurate results:

tcpdump -i eth0 -c 200 host 8.8.8.8

Capture packets by source and destination

Using this filter you can see traffic in one direction, with “src” and “dst”, check the following example below:

tcpdump src 8.8.8.8
tcpdump -i eth0 -c 200 dst 8.8.8.8 > test.txt

Filter by Network

To capture packets going to or from a particular network or subnet use the “net” option:

tcpdump net 10.0.10.0/24
tcpdump -i eth0 net 10.0.10.0/24

Capture traffic of a specific port

Use “port” filter to capture traffic on a specific port of your device, this way you can analyze packets of a service that use a specific port of your system:

tcpdump port 80

combine with “src” and “dst” filter:

tcpdump src port 80

Show Traffic of a specific protocol

You may want to look for one particular kind of traffic, you can use “TCP”, “UDP”, or “ICMP” and other options:

tcpdump icmp
tcpdump -i eth0 tcp

Print captured packets in ASCII

If you want to see the results in ASCII, you can use “-A” argument like the following example:

tcpdump -i eth0 -A

Capture and save packets in a readable file

TCPdump has an option to save the results of a capture process to a file and then read them, start capture and write them in file with:

tcpdump -i eth0 -w test.txt

Open the file and read with TCPdump using:

tcpdump -r test.txt

Leave a Reply

Your email address will not be published. Required fields are marked *