On a Linux system, let's say the ip address command returns the following. Notice in this example that there are two interfaces, lo and eth0.

~]# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:64:f5:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.5/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe64:f594/64 scope link
       valid_lft forever preferred_lft forever

The tcpdump command with the -i or --interface option (eth0 in this example) can be used to view the packets being processed by the interface.

tcpdump --interface eth0

Something like this should be displayed.

23:32:18.257281 IP server1.example.com > server2.example.com: Flags [P.], seq 1618192:1618432, ack 1825, win 305, length 240
23:32:18.257291 IP server1.example.com > server2.example.com: Flags [.], ack 1601808, win 510, length 0
23:32:18.257375 IP server1.example.com > server2.example.com: Flags [.], ack 1602288, win 508, length 0
23:32:18.257391 IP server1.example.com > server2.example.com: Flags [.], ack 1602528, win 512, length 0
23:32:18.257395 IP server1.example.com > server2.example.com: Flags [.], ack 1602768, win 511, length 0
^C
8041 packets captured
8041 packets received by filter
0 packets dropped by kernel

Redirect output to a file

The -w option can be used to redirect the output to a file. In this example, the output will be written to capture.pcap (which could then be examined using WireShark).

tcpdump -i eth0 -w capture.pcap 

Or redirection can be used to produce a cleartext file.

tcpdump -i eth0 >> capture.txt

The -r (read) flag can be used to display the contents of the capture file.

tcpdump -r capture.pcap

Do not resolve IP address to hostname

By default, tcpdump will resolve IP addresses to hostnames. The -n flag can be used so that IP addresses are used instead of hostnames.

tcpdump -n

The output should have IP addresses.

23:32:18.257281 IP 10.17.44.5 > 10.17.44.6: Flags [P.], seq 1618192:1618432, ack 1825, win 305, length 240
23:32:18.257291 IP 10.17.44.5 > 10.17.44.6: Flags [.], ack 1601808, win 510, length 0
23:32:18.257375 IP 10.17.44.5 > 10.17.44.6: Flags [.], ack 1602288, win 508, length 0
23:32:18.257391 IP 10.17.44.5 > 10.17.44.6: Flags [.], ack 1602528, win 512, length 0
23:32:18.257395 IP 10.17.44.5 > 10.17.44.6: Flags [.], ack 1602768, win 511, length 0
^C
8041 packets captured
8041 packets received by filter
0 packets dropped by kernel

Verbose

The following flags will add additional columns to the output

• -v (basic verbose)
• -vv (more verbose)
• -vvv (very verbose)

tcpdump -i eth0 -v

The capture.pcap file(s) that will be created can become quite large (MB or even GB). For this reason, you need to first ensure the directory that will contain the capture.pcap file has plenty of available disk space. Use the df -h command to locate a directory that has plenty of available disk space, and then use the cd (change directory) command to move into the directory that has plenty of disk space.

df -h