Quick tip: Capture Linux network packets to a file

tcpdump command dump traffic on a network in real time. It prints out a description of the contents of packets on a network interface.

ADVERTISEMENTS

How do I capture network packets to a file?

By default traffic is dumped on a screen. To capture these packets to a file, enter the following command as the root user:
# tcpdump -i eth0 -w traffic.eth0

How do I read packets from a file?

The -w flag causes it to save the packet data to a file called traffic.eth0 for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface:
# tcpdump -r traffic.eth0

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
6 comments… add one
  • Artem Nosulchik Sep 25, 2007 @ 7:56

    Nice tip, Vivek! Also it would be useful to send these captured packets with tool Bit-twist.
    An example of it’s usage is available here.

  • 🐧 nixCraft Sep 25, 2007 @ 11:50

    Artem,

    Thanks for sharing Bit-Twist. I will check it out 🙂

  • raisa Jan 7, 2010 @ 4:46

    does tcpdump support tcp packet reassembly?? if not how can reassembly be implemented?

  • assfou Mar 28, 2012 @ 15:34

    Many Tks.

    also the captured can also be viwed in wireshark. :):)

  • desperado0804 Jun 10, 2012 @ 5:24

    Thx for the tip! Well we can also use AthTek NetWalk to help capture Linux network packets

  • Dav Aug 13, 2020 @ 11:20

    Save it as .pcap (-w traffic.pcap) and open it in Wireshark

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.