tcpdump is a powerful command-line packet analyzer that allows you to capture and inspect network traffic. One of its most useful features is the ability to filter traffic by port, helping you focus on specific services or applications.
Basic Port Filtering Syntax
To capture traffic on a specific port, use the port keyword:
sudo tcpdump port 80This captures all traffic (both incoming and outgoing) on port 80 (HTTP).
Source and Destination Ports
You can specify whether to filter by source or destination port:
## Capture traffic FROM port 443
sudo tcpdump src port 443
## Capture traffic TO port 443
sudo tcpdump dst port 443Multiple Ports
To monitor multiple ports, use or or portrange:
## Capture HTTP and HTTPS traffic
sudo tcpdump port 80 or port 443
## Capture a range of ports
sudo tcpdump portrange 8000-8080Combining Port Filters with Other Criteria
Combine port filters with host or protocol filters using logical operators:
## Capture SSH traffic from specific host
sudo tcpdump port 22 and host 192.168.1.100
## Capture DNS traffic (UDP port 53)
sudo tcpdump udp and port 53
## Exclude specific port
sudo tcpdump not port 22Useful Options
Enhance your tcpdump output with these options:
## Save capture to file
sudo tcpdump port 80 -w capture.pcap
## Show packet contents in ASCII and hex
sudo tcpdump port 443 -X
## Limit number of packets
sudo tcpdump port 25 -c 100
## Don't resolve hostnames (faster)
sudo tcpdump port 80 -nCommon Use Cases
- Web traffic:
sudo tcpdump port 80 or port 443 - Email:
sudo tcpdump port 25 or port 587 or port 993 - Database:
sudo tcpdump port 3306(MySQL) orport 5432(PostgreSQL) - SSH:
sudo tcpdump port 22
Port filtering with tcpdump is essential for network troubleshooting, security analysis, and monitoring specific applications without capturing unnecessary traffic.