Tcpdump: Localhost to Localhost

Last updated: March 18, 2024

Reviewed by: Michal Aibin
Black Friday 2025 – NPI EA (cat = Baeldung on Linux)
announcement - icon

Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:

>> EXPLORE ACCESS NOW

Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

Partner – Orkes – NPI EA (tag=Kubernetes)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

1. Overview

Invariably, identifying and resolving network issues is a routine task for network administrators. There are several command-line utilities to assuage these issues of which tcpdump that best serves the purpose.

In this tutorial, we’ll expand on the usage of tcpdump by capturing the network packets through the logical and physical interface.

2. What Is the Localhost and Loopback Interface?

To better understand, let’s visualize the concept of localhost as a virtual hostname and domain name of our computer system. Whenever we call the localhost, it always points to our own computer system. In a nutshell, the computer talks to itself. Therefore, it greatly assists us to check the machine’s network services, even during hardware card failures.

Typically, localhost accesses the machine through a network loopback interface which is invariably present in all operating systems. By default, the loopback interface gets a 127.0.0.1 IP address. Subsequently, the localhost also resolves to the same IP for name resolution:

$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       sandbox1
::1     ip6-localhost ip6-loopback

Generally, the packets transmitted through this logical interface will be returned (looped back) to the same interface without involving any physical interface of the machine. Hence, the interface gets its name as a loopback.

The IETF assigns the entire 127.0.0.0/8 for network loopback purposes. After every server installation, the system gets the loopback interface.

Let’s take a look at the below snippet for loopback interface configuration:

$ ip a s lo 
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
    inet 127.0.0.1/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

3. tcpdump

tcpdump is a powerful command-line tool for analyzing the network interface traffic on Linux Systems. We need privileged access to run this tool on the Linux systems, either with root or sudo. We can easily search and filter the network packets using the hostname, IP, protocols, network names, etc.

Now, let’s have a look at the tcpdump usage. Here, the output relates to the SSH session:

$ sudo tcpdump
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
04:47:21.629831 IP 27.57.7.242.32917 > sandbox1.ssh: Flags [P.], seq 639116254:639116462, ack 1982486691, win 501, length 208
04:47:21.757924 ARP, Request who-has 10.87.34.12 tell _gateway, length 46
06:47:21.880039 IP sandbox1 > 104.26.11.14: ICMP echo request, id 20418, seq 1, length 64
06:47:21.914808 IP 104.26.11.14 > sandbox1: ICMP echo reply, id 20418, seq 1, length 64

Now, let’s the first line of the output:

  • 04:47:21.629831 – IP Packet’s timestamp in microseconds
  • IP – protocol type such as IP {Internet Protocol}, ARP {Address Resolution Protocol}, ICMP {Internet Control Message Protocol}
  • 27.57.7.242.32917 – source IP address and port. Usually, the source port is taken randomly from the registered unknown port ranges
  • sandbox1.ssh – destination IP address and port. {well-known port number 22 gets converted as ssh}
  • Flags[P.] – Any TCP flags {P – PUSH}; a period indicates an ACK
  • seq 639116254:639116462 – sequence ranges with starting and ending sequence numbers. The difference is the amount carried in Bytes which is the field length
  • ack 1982486691 – TCP packet’s acknowledgment number
  • win 501 – source machine TCP window size
  • length 208 – TCP data length or payload size. Here, it’s 639116462 – 639116254 = 208

4. Monitoring the Interface using tcpdump

tcpdump has many options to parse, search and filter the network interface traffic. If we want to monitor the packets from the specific interface, we can use option -i.

For the sake of demonstration, let’s open two PuTTY sessions. In the first session, we initiate the packet capture on the loopback interface, then we will execute a simple ping to localhost:

$ ping -c 1 localhost
..
..

$ sudo tcpdump -i lo
06:24:36.453843 IP localhost > localhost: ICMP echo request, id 19865, seq 1, length 64
06:24:36.453854 IP localhost > localhost: ICMP echo reply, id 19865, seq 1, length 64

In similar lines, let’s try to generate and capture the SSH packets from the loopback interface:

$ ssh localhost
tools@localhost's password:

$ sudo tcpdump -i lo 
06:30:52.419160 IP localhost.43398 > localhost.ssh:
  Flags [S], seq 4234592172, win 65495, options [mss 65495,sackOK,TS val 796452486 ecr 0,nop,wscale 7], length 0

tcpdump has some other useful options.

To get low-level information, we need to enable the verbose:

tcpdump -vv -i ens160

To read any pcap file, we can use -r option:

tcpdump -r prod_inf_mtr.pcap

If we want to filter using hostname/source IP and capture only ten packets from any interfaces:

tcpdump host baeldung.com -i any -c10
tcpdump host 104.26.12.74 -i any -c10

Next, we can filter using host and ports information:

tcpdump -i any "host baeldung.com and (port 22 or port 443)"

Moreover, we can use it to filter using source and destination networks information:

tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4

And finally, we can also decipher the IPv6 information as shown below:

tcpdump -i any ip6 host google.com -c4

5. Conclusion

In this article, we saw why the localhost is the default name of our system and how it helps test applications through the loopback network interface. Furthermore, we also saw the various user-friendly options available in tcpdump for advanced packet analysis.