[Network](EN) Dump packets using tcpdump and open it using wireshark

Dump packets using tcpdump command and open it using wireshark

Environment and Prerequisite

  • Linux base system
  • Bash shell(/bin/bash)
  • tcpdump command
  • Wireshark

tcpdump command

What is tcpdump command?

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]

[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
  • tcpdump: prints out a description of the contents of packets on a network interface with various options.
  • It scans all packets on network so it needs root privilege

Save specific interface’s packets as file

Basic usage

  • -i [inferface name]: give interface name as option
  • -w [file name]: give file name as option
tcpdump -i [interface name] -w [file name]


  • Save eth0 interface’s packets as test.pcap
  • pcap: packet captured file format used in wireshark
  • Use Ctrl + C to quit capturing.
$ sudo tcpdump -i eth0 -w test.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
860 packets captured
862 packets received by filter
0 packets dropped by kernel


What is wireshark?

  • The world’s foremost and widely-used network protocol analyzer.
  • It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

Open pcap file using wireshark

  • (방법1) Drag-and-drop is also possible
  • (방법2) Choose file in File-Open tab

Filtering using ip address

  • If you want to filter specific ip address, then add filter to menu’s “Apply a display filter”

ip address filter


AND condition

(ip.src==X.X.X.X) || (ip.dst==X.X.X.X)

OR condition

(ip.src==X.X.X.X) && (ip.dst==X.X.X.X)