You’re staring at tcpdump output and it looks like hieroglyphics. It’s not just random characters; it’s a precise, albeit dense, representation of network packets. Understanding it is key to debugging anything from slow applications to outright network failures.
Let’s break down a typical tcpdump line, focusing on a common scenario: a TCP connection.
14:35:01.123456 IP 192.168.1.10.54321 > 192.168.1.20.80: Flags [S], seq 1234567890, win 65535, options [mss 1460], length 0
The first part, 14:35:01.123456, is the timestamp. tcpdump records this with microsecond precision, which is crucial for correlating events across different systems or for identifying tiny delays. It tells you exactly when this packet traversed your network interface.
Next, IP. This indicates the network layer protocol. For IP packets, you’ll see IP. If it were IPv6, it would be IP6. Other common ones include ARP for Address Resolution Protocol, or MPLS for Multi-Protocol Label Switching.
Then comes the source and destination. 192.168.1.10.54321 > 192.168.1.20.80. This shows the originating IP address and port (192.168.1.10.54321) and the target IP address and port (192.168.1.20.80). The > symbol separates source from destination. The port numbers are vital for identifying the specific application or service involved. Port 80, for example, is typically HTTP. A high-numbered port like 54321 is usually an ephemeral client-side port.
The part after the colon, Flags [S], seq 1234567890, win 65535, options [mss 1460], length 0, is the transport layer (and potentially application layer) information.
Flags [S]: This is critical for TCP.Ssignifies a SYN (synchronize) flag, the first packet in a TCP three-way handshake. Other common flags include[.]for ACK (acknowledge),[P]for PSH (push),[F]for FIN (finish), and[R]for RST (reset). A packet might have multiple flags, like[S.]for a SYN-ACK.seq 1234567890: This is the TCP sequence number. It indicates the byte number in the stream of data that this packet represents. For a SYN packet, it’s the initial sequence number.win 65535: This is the TCP window size. It tells the sender how much data the receiver is currently willing to accept. A large window like 65535 means the receiver has ample buffer space. A small or zero window can indicate congestion or a slow receiver.options [mss 1460]: TCP options are extra parameters.mss 1460here means the Maximum Segment Size. This is the largest amount of data a TCP segment can carry (excluding TCP headers). 1460 is a common value, often derived from the MTU of the underlying network (e.g., 1500 bytes MTU minus 20 bytes IP header minus 20 bytes TCP header).length 0: This is the length of the data payload in the packet, not including IP or TCP headers. A SYN packet, as in this example, carries no data, hencelength 0. A packet carrying HTTP data would have a non-zero length.
Let’s look at another line, this time an ACK packet in response to the SYN:
14:35:01.123500 IP 192.168.1.20.80 > 192.168.1.10.54321: Flags [S.], seq 987654321, ack 1234567891, win 65535, options [mss 1460], length 0
Notice the Flags [S.]. This is a SYN-ACK, the server’s response to the client’s SYN. It acknowledges the client’s SYN (ack 1234567891) and provides its own initial sequence number (seq 987654321). The ack number is always the next sequence number the receiver expects. So, the client sent seq 1234567890, and the server is expecting the next byte to be 1234567891.
Now, a data packet:
14:35:01.200000 IP 192.168.1.10.54321 > 192.168.1.20.80: Flags [P.], seq 1234567891, ack 987654322, win 65535, length 1024
This line shows a packet with the [P.] flags: PSH (push) and ACK. The PSH flag tells the receiving TCP stack to push the data to the application layer immediately, without waiting for more data to fill the buffer. The ack 987654322 acknowledges the server’s SYN-ACK (which had seq 987654321). The seq 1234567891 indicates this is the next sequence number from the client’s perspective, following the initial SYN. The length 1024 shows that this packet carries 1024 bytes of actual data.
Finally, a FIN packet to close the connection:
14:35:05.500000 IP 192.168.1.10.54321 > 192.168.1.20.80: Flags [F.], seq 1234577890, ack 987655345, win 65535, length 0
Here, Flags [F.] indicates a FIN (finish) and ACK. The sender is signaling that it has no more data to send. The seq and ack numbers continue the sequence, and length 0 means this FIN packet itself doesn’t carry application data.
The core takeaway is that each field in a tcpdump line, from the timestamp to the payload length, tells a specific story about the packet’s journey and its role in the communication protocol. You can reconstruct entire conversations, identify dropped packets (gaps in sequence numbers or missing ACKs), measure latency (time between related packets), and pinpoint the source of network issues by meticulously reading these lines.
By default, tcpdump might truncate the output. You can use the -s 0 option to capture the full packet, which is essential if you need to inspect application-level data, not just headers.