Capture only the traffic you care about by filtering on ports with tcpdump, and speed up diagnosis. 24.12.2025 | reading time: 2 min Tcpdump lets the administrator capture only the packets that matter: filter by a single port to inspect a service, by source or destination to follow a client, or by range to catch related flows; run a command and see live packets instead of sifting through noise. Real capture example Do this to watch HTTP traffic on any interface now: ```bash sudo tcpdump -i any -n 'tcp port 80' ``` You will see lines like the following that show timestamps, IPs, ports and flags: ```text 15:04:01.123456 IP 192.0.2.10.54321 > 198.51.100.5.80: Flags [S], seq 0, win 64240, length 0 15:04:01.123789 IP 198.51.100.5.80 > 192.0.2.10.54321: Flags [S.], seq 0, ack 1, win 28960, length 0 ``` Tips and tricks Use precise filters to reduce disk and CPU use: `port 80` matches both tcp and udp so prefer `tcp port 80` when you need HTTP only; try `src port 53` or `dst port 22` to limit direction, `portrange 1024-2048` for ranges, and combine expressions with `and`, `or`, `not`; save with `-w` and read later with `-r`, and remember elevated privileges are normally required to capture on interfaces. Relevant alternatives When you need packet decoding or a GUI, open the same capture in Wireshark; use `tshark` for scripted decoding on the CLI; employ `ngrep` for quick payload regex matching; and consider firewall tools like `iptables` or `nftables` for preventive filtering rather than passive capture. Final note Start by filtering ports to get immediate signal from traffic and then iterate with tighter expressions; keep practicing with real captures to build intuition and consider formalizing skills with a certificate such as CompTIA Linux+ or LPIC-1, and use bitsandbytes.academy for intensive exam preparation. Join Bits & Bytes Academy First class LINUX exam preparation. network utilities troubleshooting
