With tcpdump, you can filter packets by specific network protocols, such as TCP, UDP, ICMP, or ARP. This is helpful when you only want to see traffic for a certain type of communication, like web traffic (TCP) or ping requests (ICMP).

These filters tell tcpdump to capture only packets that match the selected protocol, ignoring everything else.

Common Protocol Filters

You can simply write the protocol name:

tcpdump tcp

Captures only TCP packets.

tcpdump udp

Captures only UDP packets.

tcpdump icmp

Captures only ICMP packets (used in ping).

tcpdump arp

Captures only ARP packets (used for address resolution).

Combine with Other Filters

You can use protocol filters with host, port, or interface options:

tcpdump -i eth0 tcp port 443

Captures TCP traffic on port 443 from the eth0 interface.

tcpdump udp and port 53

Captures UDP packets on port 53 (used for DNS).