Find interfaces
tcpdump -D
Start a full-packet capture (rotate every 5 min, keep 3 files)
sudo tcpdump -i eth0 -s 0 -nn -w cap_%Y%m%d_%H%M%S.pcap -G 300 -W 3
sudo = run with root so the capture can access the interface.tcpdump = start packet capture.i eth0 = capture on interface eth0.s 0 = snaplen 0 = full packets (don’t truncate).nn = no name resolution (show numeric IPs and ports).w cap_%Y%m%d_%H%M%S.pcap = write to a pcap file named with a timestamp (strftime format).G 300 = rotate files every 300 seconds (5 minutes).W 3 = keep only 3 files in a ring buffer, after 3, overwrite the oldest.Read a capture
tcpdump -nn -tttt -r cap_*.pcap | head
n = don’t resolve hostnames (show IPs).nn = also don’t resolve ports/protocols (show numbers like 10.41.0.11.502 instead of plc.modbus).