Packet capturing on Linux

When problems occur, packet capturing is sometimes helpful for troubleshooting to see what happens on the server. This article explains how you can capture packets on Linux.

To capture packets on Linux:

  1. Start packet capturing by running the following command:

    # tcpdump -i any -p -s 0 -l -w [filename.cap]

    (Use arbitrary filename for filename.cap - e.g.


    (If you use a remote ssh connection, it is better to exclude packets related to ssh by adding

    not port ssh
    to option.)
  2. Reproduce the problem.
  3. Stop capturing by pressing Ctrl-C.

The capturing result is stored in the filename.cap file.

To check that the packets are correctly captured:
  1. Run the following command (example):
                # tcpdump -i any -p -s 0 -l -w fsigk-20070101.cap
              tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
              *** re-produce the problem, here ***
              *** Push Ctrl-C after the problem happens ***
              80 packets captured80 packets received by filter0 packets dropped by kernel
                # tcpdump -n -r fsigk-20070101.cap
              reading from file fsigk-20070101.cap, link-type LINUX_SLL (Linux cooked)14:46:02.087325 IP > P 3536306927:3536307055(128) ack 3370430943 win 2728 <
              >14:46:02.087331 IP > P 0:128(128) ack 1 win 2728 <
              >14:46:02.087430 IP > . ack 128 win 19292 <
    <pre>14:46:02.087430 IP > . ack 128 win 19292 <
  2. You can also check and analyze the packet capturing result (xxx.cap) by using Wireshark on Windows and Linux. For more information on Wireshark, see
  3. To read the file, double-click xxx.cap or select File > Open.
  4. To see the stream, select first the packet, right-click it and select then Following TCP Stream.
Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
12 of 12
Last update:
‎11-10-2019 06:51 AM
Updated by: