tcpdump Cheat Sheet

Packet Capturing Options Installation Commands

Switch Syntax Description
CENT OS and REDHAT $ sudo yum install tcpdump
-i any tcpdump -i any Capture from all interfaces
Fedora $ dnf install tcpdump
-i eth0 tcpdump -i eth0 Capture from specific interface ( Ex Eth0)

-c tcpdump -i eth0 -c 10 Capture first 10 packets and exit Ubuntu, Debian and Linux Mint #apt-get install tcpdump

-D tcpdump -D Show available interfaces

-A tcpdump -i eth0 -A Print in ASCII Display / Output Options

-w tcpdump -i eth0 -w tcpdump.txt To save capture to a file Switch Description

-r tcpdump -r tcpdump.txt Read and analyze saved capture file -q Quite and less verbose mode display less details

-n tcpdump -n -I eth0 Do not resolve host names -t Do not print time stamp details in dump
-nn tcpdump -n -i eth0 Stop Domain name translation and lookups (Host names or port names )
-v Little verbose output
tcp tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
-vv More verbose output
port tcpdump -i eth0 port 80 Capture traffic from a defined port only
-vvv Most verbose output
host tcpdump host 192.168.1.100 Capture packets from specific host
-x Print data and headers in HEX format
net tcpdump net 10.1.1.0/16 Capture files from network subnet
-xx Print data with link headers in HEX format
src tcpdump src 10.1.1.100 Capture from a specific source address
-X Print output in HEX and ASCII format excluding link headers
dst tcpdump dst 10.1.1.100 Capture from a specific destination address

<service> tcpdump http Filter traffic based on a port number for a service -XX Print output in HEX and ASCII format including link headers

<port> tcpdump port 80 Filter traffic based on a service -e Print Link (Ethernet) headers

port range tcpdump portrange 21-125 Filter based on port range -S Print sequence numbers in exact format

-S tcpdump -S http Display entire packet

Protocols
ipv6 tcpdunp -IPV6 Show only IPV6 packets

-d tcpdump -d tcpdump.pcap display human readable form in standard output Ether, fddi, icmp ,ip, ip6 , ppp, radio, rarp, slip, tcp , udp, wlan

-F tcpdump -F tcpdump.pcap Use the given file as input for filter

Common Commands with Protocols for Filtering Captures
-I tcpdump -I eth0 set interface as monitor mode

-L tcpdump -L Display data link types for the interface Filter by source or destination IP
src/ dst host (host name or IP)
address or host
-N tcpdump -N tcpdump.pcap not printing domian names

-K tcpdump -K tcpdump.pcap Do not verify checksum ether src/ dst host (ethernet host Ethernet host filtering by source or
name or IP) destination
-p tcpdump -p -i eth0 Not capturing in promiscuous mode

src/ dst net (subnet mask in CIDR) Filter by subnet

Logical Operators
Filter TCP or UDP packets by source or
tcp/udp src/dst port ( port number)
Operator Syntax Example Description destination port

AND and, && tcpdump -n src 192.168.1.1 and dst port 21 Combine filtering options
tcp/udp src/dst port range ( port Filter TCP or UDP packets by source or
OR or, || tcpdump dst 10.1.1.1 && !icmp Either of the condition can match number range) destination port range

EXCEPT not, ! tcpdump dst 10.1.1.1 and not icmp Negation of the condition
ether/ip broadcast Filter for Ethernet or IP broadcasts
LESS < tcpdump <32 Shows packets size less than 32
ether/ip multicast Filter for Ethernet or IP multicasts
GREATER > tcpdump >=32 Shows packets size greater than 32