Frequently Asked Question

What does tcpdump do and when should I use it?

tcpdump captures packets directly from a network interface and prints a one-line summary of each. It's the canonical Unix packet sniffer, small, fast, requires no GUI, and is exactly what you want when something is broken in production and you need to see the bytes on the wire. sudo tcpdump -i eth0 port 80 shows every HTTP packet; tcpdump -i any host 1.2.3.4 shows everything to or from one IP; -nn skips DNS and port-name resolution; -w capture.pcap writes the raw bytes to a file you can open in Wireshark later.

Reach for tcpdump when an application says "connection refused" or "timeout" and you need to know whether the SYN ever left the box, whether a reply came back, or whether a firewall is silently dropping packets. The filter language (Berkeley Packet Filter, BPF) lets you narrow the noise: tcp port 443, udp and host 8.8.8.8, not arp, tcp[tcpflags] & tcp-syn != 0. It runs in kernel space, so even on a busy interface the overhead is minimal.