tcpdump

tcpdump is a command-line packet analyzer that allows users to capture, display, and analyze network traffic in real-time. Originally developed in 1987 by Van Jacobson, Craig Leres, and Steven McCanne at the Lawrence Berkeley Laboratory, tcpdump is one of the oldest and most widely used network diagnostic tools, with over 2,700 stars on its repository as of 2026. tcpdump uses libpcap (the packet capture library it shares with Wireshark and many other tools) to capture packets from network interfaces, applying Berkeley Packet Filter (BPF) expressions to selectively filter traffic. Key features include: capture filtering with BPF expressions (filtering by protocol like tcp, udp, icmp; by host like host 192.168.1.1; by port like port 80; by network like net 192.168.0.0/24; with logical operators and, or, not; by direction like src or dst; by TCP flags like tcp-syn, tcp-ack), display filtering with protocol-specific fields (examining TCP header fields, IP TTL, DNS query names, HTTP headers), verbose output modes (-v, -vv, -vvv for increasing detail levels), hexadecimal and ASCII packet dump (-X and -XX for full payload display), timestamp formatting options (-t, -tt, -ttt, -tttt), packet count limiting (-c), snapshot length control (-s to set capture size), output to file for later analysis with tcpdump or Wireshark (-w filename.pcap), reading from saved capture files (-r), promiscuous mode capture (enabled by default, capturing all traffic on the network segment), monitoring of all interfaces (-i any), link-layer header type selection, and support for over 100 protocol dissectors including Ethernet, 802.11 WiFi, ARP, IPv4, IPv6, TCP, UDP, ICMP, DNS, HTTP, TLS/SSL handshake, DHCP, SNMP, NFS, SMB, and many more.