Snoop On Your Local Network with tcpdump

Your smart TV, your phone, your laptop, even your smart-light hub are constantly talking. They’re checking for updates, discovering each other, and sending analytics to who-knows-where. This network chatter is usually invisible, but with the right tools, you can listen in.

This guide will show you how to use tcpdump, the classic and powerful command-line packet analyzer, to explore the traffic on your own network and understand what’s happening under the hood.

A Quick Warning: Only run tcpdump on networks you own or have explicit permission to monitor. Capturing traffic on a corporate, public, or private network without authorization is unethical and likely illegal.

Getting Started: Your First Capture

To capture network traffic, tcpdump needs to be run with sudo. First, you need to find your network interface (like eth0 or wlan0) using the ip addr command. For this guide, we’ll use the special interface any to listen on all interfaces at once.

Running sudo tcpdump -i any by itself will produce an overwhelming wall of text. Let’s add some essential flags to make the output cleaner:

• -n: Don’t resolve hostnames (shows IP addresses instead, which is faster).
• -nn: Don’t resolve hostnames or port names (shows 80 instead of http).

Our basic, more readable command looks like this:

sudo tcpdump -i any -nn

The Key to Sanity: Using Filters

The real power of tcpdump lies in its filtering capabilities. Filters allow you to pluck the interesting needles from the haystack of network traffic.

• Filter by Host: Isolate traffic to or from a specific IP address.

  # See all traffic involving the device at 192.168.1.150
  sudo tcpdump -i any -nn host 192.168.1.150
  

• Filter by Port: Isolate a specific application. Port 53, for example, is for DNS.

  # See all DNS traffic
  sudo tcpdump -i any -nn port 53
  

• Combine Filters: Use and, or, and not to create more specific rules.

  # See traffic from 192.168.1.150, but ignore SSH traffic (port 22)
  sudo tcpdump -i any -nn 'host 192.168.1.150 and not port 22'
  

Recipes for Interesting Local Traffic

Here are some practical recipes to uncover the hidden chatter on your network.

Recipe 1: See All DNS Requests (The Gossip Mill)

DNS is the internet’s phonebook. By watching DNS traffic, you can see every domain that every device on your network tries to contact. This is the best way to find out what services your “smart” devices are communicating with.

Command:

sudo tcpdump -i any -nn 'port 53'

Example Output:
Here, a device at 10.0.0.10 is asking for the A (IPv4) and AAAA (IPv6) records for google.com.

18:01:15.123456 IP 10.0.0.10.53535 > 8.8.8.8.53: 12345+ A? google.com. (28)
18:01:15.123457 IP 10.0.0.10.53536 > 8.8.8.8.53: 12346+ AAAA? google.com. (28)
18:01:15.165432 IP 8.8.8.8.53 > 10.0.0.10.53535: 12345 1/0/0 A 172.217.14.238 (44)
18:01:15.165433 IP 8.8.8.8.53 > 10.0.0.10.53536: 12346 1/0/0 AAAA 2607:f8b0:4005:804::200e (56)

Recipe 2: Find New Devices Joining Your Network (The Doorman)

When a device joins a network, it uses DHCP to get an IP address. This process is often called “DORA” (Discover, Offer, Request, Acknowledge). You can watch this happen live.

Command:

sudo tcpdump -i any -v -nn 'port 67 or port 68'

Example Output:
You’ll see a series of four packets. Here’s a simplified look at the key information:

1. Discover: A device with MAC address 00:11:22:33:44:55 shouts to the whole network (Broadcast).

   0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:11:22:33:44:55, length 300: DHCP-DISCOVER
   

2. Offer: The DHCP server (192.168.1.1) offers an IP address (192.168.1.150).

   192.168.1.1.67 > 192.168.1.150.68: BOOTP/DHCP, Reply, length 300: DHCP-OFFER
   

3. Request: The device formally requests the offered IP address.

   0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:11:22:33:44:55, length 300: DHCP-REQUEST for 192.168.1.150
   

4. Acknowledge: The server confirms the lease.

   192.168.1.1.67 > 192.168.1.150.68: BOOTP/DHCP, Reply, length 300: DHCP-ACK
   

Recipe 3: Map Your Network with ARP (The Town Crier)

ARP (Address Resolution Protocol) is how devices find each other’s physical MAC addresses on a local network. It’s a constant, low-level chatter that gives you a live map of your network.

Command:

sudo tcpdump -i any -nn arp

Example Output:
Here, the device at 192.168.1.5 is asking who has the IP 192.168.1.1 (your router). The router then replies with its MAC address.

13:45:21.433469 ARP, Request who-has 192.168.1.1 tell 192.168.1.5, length 28
13:45:22.433469 ARP, Reply 192.168.1.1 is-at 00:14:22:51:54:32, length 46

Recipe 4: Uncover Unencrypted Web Traffic

While most web traffic is now encrypted with HTTPS (port 443), some older devices or applications still use plain HTTP (port 80). You can read this data in plain text using the -A flag.

Command:

sudo tcpdump -i any -nn -A 'port 80'

What to Look For:
If you see any traffic, the -A flag will print the ASCII content of the packets. Look for lines starting with GET / or POST /. You might see HTML, JSON, or other plain text data being exchanged. It can be surprising to see which devices still communicate in the clear.

Saving Captures for Later

Sometimes, you need to save a packet capture to analyze it more deeply later. You can save the raw data to a .pcap file:

# Press Ctrl+C to stop capturing
sudo tcpdump -i any -w my_capture.pcap

You can then read this file with tcpdump or, even better, open it in Wireshark, a powerful graphical tool that makes exploring and filtering saved traffic much easier.