Skip to Content

Learn tcpdump Filter Quick Guide

Tcpdump is a powerful command-line packet analyzer. It allows us to display TCP/IP and other packets being transmitted or received over a network. We collect 30 tcpdump filters to help you learn tcpdump quickly.

30 tcpdump examples to filter packets

Switch Syntax Description
-i any tcpdump -i any Capture from all interfaces
-i eth0 tcpdump -i eth0 Capture from specific interface ( Ex Eth0)
-c tcpdump -i eth0 -c 10 Capture first 10 packets and exit
-D tcpdump -D Show available interfaces
-A tcpdump -i eth0 -A Print in ASCII
-w tcpdump -i eth0 -w tcpdump.txt To save capture to a file
-r tcpdump -r tcpdump.txt Read and analyze saved capture file
-n tcpdump -n -I eth0 Do not resolve host names
-nn tcpdump -n -i eth0 Stop Domain name translation and lookups (Host names or port names )
tcp tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
port tcpdump -i eth0 port 80 Capture traffic from a defined port only
host tcpdump host Capture packets from specific host
net tcpdump net Capture files from network subnet
src tcpdump src Capture from a specific source address
dst tcpdump dst Capture from a specific destination address
<service> tcpdump http Filter traffic based on a port number for a service
<port> tcpdump port 80 Filter traffic based on a service
port range tcpdump portrange 21-125 Filter based on port range
-S tcpdump -S http Display entire packet
ipv6 tcpdunp -IPV6 Show only IPV6 packets

How to filter MAC addresses using tcpdump?

Use the host option on the tcpdump command to limit output to a specific MAC address: tcpdump ether host aa:bb:cc:11:22:33

How to filter tcpdump on a specific port ?

Use the port option on the tcpdump command to specify a port: tcpdump ether port 80

How to read tcpdump output?

There is a read option on tcpdump, which is represented by the switch -r as in: tcpdump -r file_path_and_name

How to capture packets with tcp flag filter?

Flag Description
URG Urgent pointer field is significant
ACK Acknowledgment field is significant
PSH Push function
RST Reset the connection
SYN Synchronize sequence numbers
FIN No more data from sender
Flag Bit Value
URG 32
ACK 16
Flag Combination Value
FIN, ACK 17 (1 + 16)
SYN, ACK 18 (2 + 16)
PSH, ACK 24 (8 + 16)
FIN, PSH 9 (1 + 8)
FIN, PSH, ACK 25 (1 + 8 + 16)

We can use the following ways to capture packets with syn TCP flag. Syn flag is 00000010 in tcp header. That is 2 in decimal.

tcpdump -i utun1 tcp[tcpflags] == ‘tcp-syn’

tcpdump -i utun1 tcp[13] == 2

We can use the following way to capture syn-ack packets. This is 10010 in binary and 18 in decimal.

tcpdump -i utun1 ‘tcp[13] == 18’

For psh-ack packets, we can use this way. This is 11000 in binary and 24 in decimal.

tcpdump -i utun1 ‘tcp[13] == 24’

Related post: