tcpdump: Packet Capture Tool
The essential command-line packet analyzer for network forensics
Interactive tcpdump Examples
Essential tcpdump Commands
tcpdump -i any
Capture on all interfaces
tcpdump -nn port 443
Capture HTTPS traffic, no DNS resolution
tcpdump host 192.168.1.100
Filter by specific IP address
tcpdump -w capture.pcap
Write packets to file for later analysis
tcpdump -r capture.pcap
Read packets from saved file
tcpdump -X
Show packet contents in hex and ASCII
BPF Filter Syntax — The Language of Packet Capture
Berkeley Packet Filter (BPF) syntax is used by tcpdump, Wireshark capture filters, and most network tools. Master these building blocks:
| Filter | Meaning | SOC Use Case |
|---|---|---|
host 10.0.0.50 | Traffic to OR from this IP | Isolate a suspected compromised host |
src host 10.0.0.50 | Traffic FROM this IP only | See what a host is sending (exfil detection) |
dst port 443 | Traffic going TO port 443 | Monitor HTTPS connections |
port 53 | DNS traffic (both directions) | DNS tunneling detection |
net 192.168.1.0/24 | Entire subnet | Monitor a specific network segment |
not port 22 | Exclude SSH traffic | Filter out your own management traffic |
tcp[tcpflags] & tcp-syn != 0 | SYN flag set | Detect port scanning (SYN scan) |
icmp | ICMP traffic only | Detect ICMP tunneling or ping sweeps |
Combine with and, or, not:
IR Capture Recipes
Copy-paste these during incident response:
tcpdump -i any -w /tmp/evidence.pcap -G 3600 -W 24
Rotate capture files every hour, keep 24 hours
tcpdump -i eth0 'tcp[tcpflags] == tcp-rst' -nn
Catch connection resets (firewall blocks, IPS drops)
tcpdump -i eth0 'port 53 and udp[10] & 0x80 = 0' -nn
DNS queries only (not responses) — C2 hunting
tcpdump -i eth0 'greater 1400 and dst not net 10.0.0.0/8'
Large outbound packets — exfiltration indicator
NetFlow: Flow-Based Visibility
Network traffic metadata for large-scale monitoring
What is NetFlow?
NetFlow (and its variants: IPFIX, sFlow) provides summarized flow records rather than full packet captures. A "flow" is defined by:
- 5-Tuple: Source IP, Dest IP, Source Port, Dest Port, Protocol
- Timing: Start time, duration, last seen
- Metrics: Bytes transferred, packet count
- Interfaces: Ingress/egress interface IDs
Sample NetFlow Record
SOC Use Cases for NetFlow
| Use Case | How NetFlow Helps |
|---|---|
| C2 Detection | Identify periodic beaconing patterns to suspicious IPs |
| Data Exfiltration | Spot unusual outbound data volumes |
| Lateral Movement | Track internal connection patterns |
| DDoS Analysis | Visualize attack traffic sources and volumes |
| Baseline Deviation | Alert on anomalous traffic patterns |
tcpdump vs. NetFlow
Choosing the right tool for the job
Feature Comparison
| Aspect | tcpdump/PCAP | NetFlow |
|---|---|---|
| Data Captured | Full packet (headers + payload) | Flow metadata only |
| Storage Required | Very High (~100GB+/day) | Low (~1GB/day) |
| Retention | Hours to days | Weeks to months |
| Visibility | Complete - see everything | Summary - who talked to whom |
| Performance Impact | High CPU on capture device | Low - done by routers/switches |
| Best For | Deep forensics, malware analysis | Trending, baseline, detection |
When to Use Each
Use tcpdump/PCAP when:
- Analyzing malware payload
- Extracting files from traffic
- Debugging protocol issues
- Deep forensic investigation
Use NetFlow when:
- Identifying top talkers
- Detecting C2 beaconing
- Capacity planning
- Long-term trend analysis
Knowledge Assessment
Test your understanding of tcpdump and NetFlow