tcpdump is a powerful command-line packet analyzer that allows you to capture and inspect network traffic. One of its most useful features is the ability to filter traffic by port, helping you focus on specific services or applications.

Basic Port Filtering Syntax

To capture traffic on a specific port, use the port keyword:

Command 
sudo tcpdump port 80

This captures all traffic (both incoming and outgoing) on port 80 (HTTP).

Source and Destination Ports

You can specify whether to filter by source or destination port:

Command 
## Capture traffic FROM port 443
sudo tcpdump src port 443

## Capture traffic TO port 443
sudo tcpdump dst port 443

Multiple Ports

To monitor multiple ports, use or or portrange:

Command 
## Capture HTTP and HTTPS traffic
sudo tcpdump port 80 or port 443

## Capture a range of ports
sudo tcpdump portrange 8000-8080

Combining Port Filters with Other Criteria

Combine port filters with host or protocol filters using logical operators:

Command 
## Capture SSH traffic from specific host
sudo tcpdump port 22 and host 192.168.1.100

## Capture DNS traffic (UDP port 53)
sudo tcpdump udp and port 53

## Exclude specific port
sudo tcpdump not port 22

Useful Options

Enhance your tcpdump output with these options:

Command 
## Save capture to file
sudo tcpdump port 80 -w capture.pcap

## Show packet contents in ASCII and hex
sudo tcpdump port 443 -X

## Limit number of packets
sudo tcpdump port 25 -c 100

## Don't resolve hostnames (faster)
sudo tcpdump port 80 -n

Common Use Cases

  • Web traffic: sudo tcpdump port 80 or port 443
  • Email: sudo tcpdump port 25 or port 587 or port 993
  • Database: sudo tcpdump port 3306 (MySQL) or port 5432 (PostgreSQL)
  • SSH: sudo tcpdump port 22

Port filtering with tcpdump is essential for network troubleshooting, security analysis, and monitoring specific applications without capturing unnecessary traffic.

Capture Strategy That Scales

A good tcpdump workflow avoids giant useless captures:

  1. define hypothesis (which host/port/protocol)
  2. build narrow filter
  3. limit packet count or duration
  4. save pcap for deeper analysis in Wireshark

Example:

Command 
sudo tcpdump -n -i eth0 host 10.0.0.15 and port 443 -c 500 -w tls-check.pcap

This gives you a focused dataset instead of capturing everything on the interface.

Ring Buffer Captures for Long Incidents

For intermittent issues, use rotating files:

Command 
sudo tcpdump -i eth0 port 443 -C 20 -W 10 -w web-%Y%m%d%H%M%S.pcap

This keeps storage under control while preserving recent traffic windows.

Common Filter Pitfalls

Missing parentheses with and / or

Filter logic precedence can surprise you. Group conditions clearly:

Command 
sudo tcpdump '(port 80 or port 443) and host 192.168.1.20'

Capturing without -n

Reverse DNS lookups slow capture and add noise. Use -n in troubleshooting sessions unless name resolution is required.

Capturing on wrong interface

Verify interface first (ip a / ifconfig) before assuming eth0 is active.

Security and Compliance Reminder

Packet captures may include credentials, cookies, tokens, and personal data. Handle pcap files as sensitive artifacts:

  • restrict access
  • encrypt at rest
  • delete after investigation

Bottom Line (Operational)

Port filtering is powerful when it is precise. Use small, hypothesis-driven captures with clear BPF expressions, then analyze offline. That gives faster root-cause analysis and fewer false conclusions.

Fast Triage Pattern for Service Outage

When a service appears down:

  1. capture SYN/SYN-ACK behavior on service port
  2. confirm packets hit the right interface
  3. compare client-side and server-side captures
  4. validate firewall counters/logs

This quickly tells you whether failure is on path, host firewall, or service process.

Bottom Line (Incident Response)

During incidents, tcpdump with tight port filters is one of the fastest ways to move from guesswork to packet-level evidence.