Skip to Content

Capture TCP Packets with Tcpdump

TCP allows for the transmission of information in both directions. This means that computer systems that communicate over TCP can send and receive data at the same time, similar to a telephone conversation.

The protocol uses segments (packets) as the basic units of data transmission. In addition to the payload, segments can also contain control information and are limited to 1,500 bytes.

We will use this post to learn how to capture TCP packets with Tcpdump command.

Create a TCP connection with Python code

We can use this Python code to connect port 180 on This will not work as this port is not open. At the same time, we can open a new terminal to check the state of TCP connection. After some time, the connection will be failed.

If we see SYN_SENT connections, this usually means that there is a firewall problem between sender and receiver. The TCP 3-way handshake can not be completed.

python -c 'import socket;client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM);client_socket.connect(("", 180))'

netstat -anpl|grep :180

tcp 0 1 SYN_SENT 17998/python

Capture TCP packets with Tcpdump

We can use this command to filter this TCP packet with tcpdump.

tcpdump –i any TCP port 180 –XAvvv

To briefly explain the options we passed to it:

  • -i any means all the interfaces
  • tcp means that only tcp packets will be captured. Other types of packets we might capture could be udp or icmp for example.
  • -vvv just gives us more verbose output
  • -X prints out the data in the Tcp packets in ASCII as well as hex. If we just wanted the latter we could use the -x option

Capture TCP packets and other filters with Tcpdump

One of the best features of tcpdump is that we can filter out exactly the traffic we want to see.

  • tcpdump -i interface tcp and host
  • tcpdump -i interface tcp and port 53
  • tcpdump -i interface tcp or dst host
  • tcpdump -i interface tcp or src port 53
  • tcpdump -n ‘dst host and (tcp port 80 or tcp port 443)’

Let’s break down the tcpdump -i interface tcp or dst host command:

  • tcpdump: This is the command itself, used to start the packet capture process.
  • -i interface: This option specifies the interface on which the packet capture should be performed. Replace interface with the actual network interface name, such as eth0 or wlan0. This allows you to capture traffic on a specific network interface.
  • tcp or dst host This is the filter expression used to specify the packets to be captured. It consists of two parts separated by the logical operator or.
    • tcp: This part of the expression captures only TCP (Transmission Control Protocol) packets. TCP is a widely used transport protocol in computer networks, responsible for reliable and ordered delivery of data.
    • dst host This part captures packets where the destination (dst) IP address is It filters the packets based on their destination IP address.

By combining these options and the filter expression, the tcpdump -i interface tcp or dst host command captures TCP packets either on the specified interface or with a destination IP address of