Back to blog
Jul 19, 2025
2 min read

Tcpdump: The basics

Learn how to use Tcpdump to save, filter, and display packets.

Cyber Security 101 > Networking > Tcpdump: The Basics

tcpdump the basics

Task 1

Introduction

  1. What is the name of the library that is associated with tcpdump?
libpcap

Task 2

Basic Packet Capture

  1. What option can you add to your command to display addresses only in numeric format?
-n

Task 3

Filtering Expressions

  1. How many packets in traffic.pcap use the ICMP protocol?

Run this command:

tcpdump icmp -r traffic.pcap | wc -l
26
  1. What is the IP address of the host that asked for the MAC address of 192.168.124.137?

Run this command:

tcpdump -r traffic.pcap dst 192.168.124.137 and arp
192.168.124.148
  1. What hostname (subdomain) appears in the first DNS query?

Run this command:

tcpdump -r traffic.pcap port 53 -c 1
mirrors.rockylinux.org

Task 4

Advanced Filtering

  1. How many packets have only the TCP Reset (RST) flag set?

Run this command:

tcpdump -r traffic.pcap "tcp[tcpflags] == tcp-rst" | wc -l
57
  1. What is the IP address of the host that sent packets larger than 15000 bytes?

Run this command:

tcpdump -r traffic.pcap greater 15000 -c 1 -n
185.117.80.53

Task 5

Displaying Packets

  1. What is the MAC address of the host that sent an ARP request?

Run this command:

tcpdump arp -r traffic.pcap -e
52:54:00:7c:d3:5b

Task 6

Conclusion

  1. Ensure you have noted the various Tcpdump options we covered in this room.
No answer needed