tcpdump Cheat Sheet
Installation Commands
Install tcpdump on different Linux distributions:
sudo yum install tcpdump (CENT OS and REDHAT)
dnf install tcpdump (Fedora)
apt-get install tcpdump (Ubuntu, Debian and Linux Mint)
Boost Your Website Speed!
If you want your website to run as fast as ours, consider trying Cloudways. Their powerful cloud infrastructure and optimized stack deliver exceptional performance. Free migration! Packet Capturing Options
| Switch Syntax | Description | Example |
|---|---|---|
| -i any | Capture from all interfaces | tcpdump -i any |
| -i eth0 | Capture from specific interface (Ex Eth0) | tcpdump -i eth0 |
| -c 10 | Capture first 10 packets and exit | tcpdump -c 10 |
| -D | Show available interfaces | tcpdump -D |
| -A | Print in ASCII | tcpdump -A |
| -w | To save capture to a file | tcpdump -w capture.pcap |
| -r | Read and analyze saved capture file | tcpdump -r capture.pcap |
| -n | Do not resolve host names | tcpdump -n |
| -nn | Stop domain name translation and lookups | tcpdump -nn |
| tcp | Capture TCP packets only | tcpdump tcp |
| port | Capture traffic from a defined port only | tcpdump port 80 |
| host | Capture packets from specific host | tcpdump host 192.168.1.1 |
| net | Capture files from network subnet | tcpdump net 192.168.1.0/24 |
| src | Capture from a specific source address | tcpdump src 192.168.1.1 |
| dst | Capture from a specific destination address | tcpdump dst 192.168.1.2 |
| <service> | Filter traffic based on a port number for a service | tcpdump ‘tcp port http’ |
| <port> | Filter traffic based on a service | tcpdump port 443 |
| port range | Filter based on port range | tcpdump portrange 1000-2000 |
| -S | Display entire packet | tcpdump -S |
| ipv6 | Show only IPv6 packets | tcpdump ip6 |
| -d | Display human readable form in standard output | tcpdump -d |
| -F | Use the given file as input for filter | tcpdump -F filter.txt |
| -I | Set interface as monitor mode | tcpdump -I -i wlan0 |
| -L | Display data link types for the interface | tcpdump -L |
| -N | Not printing domain names | tcpdump -N |
| -K | Do not verify checksum | tcpdump -K |
| -p | Not capturing in promiscuous mode | tcpdump -p |
Logical Operators
| Operator Syntax | Example | Description |
|---|---|---|
| AND | tcpdump -n src 192.168.1.1 and dst port 21 | Combine filtering options |
| OR | tcpdump dst 10.1.1.1 && !icmp | Either of the condition can match |
| EXCEPT | tcpdump dst 10.1.1.1 and not icmp | Negation of the condition |
| LESS | tcpdump | Shows packets size less than 32 |
| GREATER | tcpdump >=32 | Shows packets size greater than 32 |
Display / Output Options
| Switch | Description |
|---|---|
| -q | Quite and less verbose mode display less details |
| -t | Do not print time stamp details in dump |
| -v | Little verbose output |
| -vv | More verbose output |
| -vvv | Most verbose output |
| -x | Print data and headers in HEX format |
| -xx | Print data with link headers in HEX format |
| -X | Print output in HEX and ASCII format excluding link headers |
| -XX | Print output in HEX and ASCII format including link headers |
| -e | Print Link (Ethernet) headers |
| -S | Print sequence numbers in exact format |
Protocols
Common protocols for filtering captures:
Ether, fddi, icmp, ip, ip6, ppp, radio, rarp, slip, tcp, udp, wlan
Common Commands with Protocols for Filtering Captures
| Syntax | Description |
|---|---|
| src/dst host (host name or IP) | Filter by source or destination IP address or host |
| ether src/dst host (ethernet host name or IP) | Ethernet host filtering by source or destination |
| src/dst net (subnet mask in CIDR) | Filter by subnet |
| tcp/udp src/dst port (port number) | Filter TCP or UDP packets by source or destination port |
| tcp/udp src/dst port range (port number range) | Filter TCP or UDP packets by source or destination port range |
| ether/ip broadcast | Filter for Ethernet or IP broadcasts |
| ether/ip multicast | Filter for Ethernet or IP multicasts |