How to Get a Packet Capture with tcpdump

When troubleshooting a network or connectivity issue, Automox Support may ask you to capture the traffic on a device using tcpdump, a command-line packet capture tool. This guide walks through capturing that traffic and sharing it with Support.

tcpdump runs natively on Linux (install it from your distribution's package manager if needed) and macOS (included by default). The commands below are identical on both. tcpdump is not available on Windows; capture traffic there with the built-in pktmon tool or Wireshark instead.

Capturing Traffic

Packet capture requires administrator privileges, so the commands below use sudo.

  1. Identify the interface to capture on. List the available network interfaces:

    sudo tcpdump -D
  2. Start the capture, writing the output to a file:

    sudo tcpdump -i <interface> -w capture.pcap

    Replace <interface> with the interface from step 1. tcpdump captures full-sized packets by default, so no snap-length option is needed.

  3. Reproduce the issue you are troubleshooting while the capture runs, so the relevant traffic is recorded.
  4. Stop the capture with Ctrl+C. The traffic is saved to capture.pcap in your current directory.

Useful Options

You can refine a capture with the following options. For the complete list, see the official tcpdump man page or run man tcpdump on the device.

Option Description
-i <interface> Capture on a specific interface (use -i any for all interfaces)
-w <file> Write raw packets to a file for later analysis
-c <count> Stop automatically after capturing a set number of packets
host <address> Capture only traffic to or from a specific host
port <number> Capture only traffic on a specific port
-n Skip DNS resolution to reduce noise and overhead

For example, to capture only traffic between the device and the Automox console endpoint:

sudo tcpdump -i <interface> -w capture.pcap host console.automox.com

Sharing the Capture with Support

Attach the resulting capture.pcap file to your support ticket. Avoid leaving a capture running longer than necessary, as files can grow large quickly.

References

Was this article helpful?
0 out of 0 found this helpful