Community Python Snippet
The tcpdump One-Liner I Actually Remember
A small Python wrapper around the only tcpdump invocation I can recall under pressure, plus a parser that turns its line-buffered output into JSON so I can pipe it to jq.
The tcpdump One-Liner I Actually Remember
A small Python wrapper around the only tcpdump invocation I can recall under pressure, plus a parser that turns its line-buffered output into JSON so I can pipe it to jq.
By @elisehuang
March 17, 2026
·
Updated May 18, 2026
382 views
3
4.4 (9)
Every time my service stops talking to a downstream and metrics are unhelpful, I reach for tcpdump. The flags I always need are -A (ASCII payload so HTTP headers are readable), -s 0 (full snaplen, otherwise headers cut at 96 bytes), -l (line-buffered so piping to grep actually flushes), and -nn (skip DNS, which can take seconds on a slow resolver). The function exists so I stop typing -s 96 and wondering why my Authorization header is truncated. On macOS BSD tcpdump, replace -i any with an explicit interface like -i en0.
Port 443 carries every TLS conversation on the host, so tcpdump | grep is too coarse. The regex matches the 5-tuple header line that tcpdump prints, and I accumulate the indented payload lines into a payload list. Emitting JSON means I can pipe to jq 'select(.dst == "1.2.3.4") | .payload' and slice further. The script runs against a canned sample so you can see the JSON shape without needing root or live traffic.
This is the glue I actually run on staging. The -l flag from accordion 1 makes tcpdump line-buffered, and iter(proc.stdout.readline, '') lets the parser from accordion 2 consume packets as they arrive instead of waiting for EOF. I usually pipe the JSON to jq for further filtering. The default run prints what would execute and exits clean; pass --live (with sudo) to actually attach to traffic, which keeps the snippet safe to paste into CI.
