tcpdump Cheat Sheet
Installation Commands
Install tcpdump on different Linux distributions:
sudo yum install tcpdump (CENT OS and REDHAT)
dnf install tcpdump (Fedora)
apt-get install tcpdump (Ubuntu, Debian and Linux Mint)
Packet Capturing Options
| Switch Syntax | Description | Example |
|---|---|---|
| -i any | Capture from all interfaces | tcpdump -i any |
| -i eth0 | Capture from specific interface (Ex Eth0) | tcpdump -i eth0 |
| -c 10 | Capture first 10 packets and exit | tcpdump -c 10 |
| -D | Show available interfaces | tcpdump -D |
| -A | Print in ASCII | tcpdump -A |
| -w | To save capture to a file | tcpdump -w capture.pcap |
| -r | Read and analyze saved capture file | tcpdump -r capture.pcap |
| -n | Do not resolve host names | tcpdump -n |
| -nn | Stop domain name translation and lookups | tcpdump -nn |
| tcp | Capture TCP packets only | tcpdump tcp |
| port | Capture traffic from a defined port only | tcpdump port 80 |
| host | Capture packets from specific host | tcpdump host 192.168.1.1 |
| net | Capture files from network subnet | tcpdump net 192.168.1.0/24 |
| src | Capture from a specific source address | tcpdump src 192.168.1.1 |
| dst | Capture from a specific destination address | tcpdump dst 192.168.1.2 |
| <service> | Filter traffic based on a port number for a service | tcpdump ‘tcp port http’ |
| <port> | Filter traffic based on a service | tcpdump port 443 |
| port range | Filter based on port range | tcpdump portrange 1000-2000 |
| -S | Display entire packet | tcpdump -S |
| ipv6 | Show only IPv6 packets | tcpdump ip6 |
| -d | Display human readable form in standard output | tcpdump -d |
| -F | Use the given file as input for filter | tcpdump -F filter.txt |
| -I | Set interface as monitor mode | tcpdump -I -i wlan0 |
| -L | Display data link types for the interface | tcpdump -L |
| -N | Not printing domain names | tcpdump -N |
| -K | Do not verify checksum | tcpdump -K |
| -p | Not capturing in promiscuous mode | tcpdump -p |
Logical Operators
| Operator Syntax | Example | Description |
|---|---|---|
| AND | tcpdump -n src 192.168.1.1 and dst port 21 | Combine filtering options |
| OR | tcpdump dst 10.1.1.1 && !icmp | Either of the condition can match |
| EXCEPT | tcpdump dst 10.1.1.1 and not icmp | Negation of the condition |
| LESS | tcpdump <32 | Shows packets size less than 32 |
| GREATER | tcpdump >=32 | Shows packets size greater than 32 |
Display / Output Options
| Switch | Description |
|---|---|
| -q | Quite and less verbose mode display less details |
| -t | Do not print time stamp details in dump |
| -v | Little verbose output |
| -vv | More verbose output |
| -vvv | Most verbose output |
| -x | Print data and headers in HEX format |
| -xx | Print data with link headers in HEX format |
| -X | Print output in HEX and ASCII format excluding link headers |
| -XX | Print output in HEX and ASCII format including link headers |
| -e | Print Link (Ethernet) headers |
| -S | Print sequence numbers in exact format |
Protocols
Common protocols for filtering captures:
Ether, fddi, icmp, ip, ip6, ppp, radio, rarp, slip, tcp, udp, wlan
Common Commands with Protocols for Filtering Captures
| Syntax | Description |
|---|---|
| src/dst host (host name or IP) | Filter by source or destination IP address or host |
| ether src/dst host (ethernet host name or IP) | Ethernet host filtering by source or destination |
| src/dst net (subnet mask in CIDR) | Filter by subnet |
| tcp/udp src/dst port (port number) | Filter TCP or UDP packets by source or destination port |
| tcp/udp src/dst port range (port number range) | Filter TCP or UDP packets by source or destination port range |
| ether/ip broadcast | Filter for Ethernet or IP broadcasts |
| ether/ip multicast | Filter for Ethernet or IP multicasts |
See also: Mastering the Linux Command Line — Your Complete Free Training Guide