Tcpdump Cheat Sheet With Basic Advanced Examples

Table of Contents

Tcpdump is a CLI tool to capture raw network packets. This tcpdump cheat sheet covers all the basic and advanced options for tcpdump command. It is very useful for various forms of network troubleshooting.

Purpose of Tcpdump

This tool is mainly used for troubleshooting network problems. For example, if we can have a DNS query issue, we can use this command to capture all the DNS packets to check out what happened. We will have more examples in the following tcpdump cheat sheet.

We can use this tool for the following purpose.

  • Troubleshoot network problems
  • Examine security problems
  • Debug protocol implementations
  • Learn network protocols

How to Run tcpdump?

We can run tcpdump in local server or remote server with an SSH session. It accepts many filters and allows us to display data about packets going in and out of an interface. We can also filter syntax which is very powerful.

When we run the tcpdump command without any options then it will capture packets of all the interfaces. We can stop or cancel the tcpdump command by typing “ctrl+c” .

Basic Packet Capturing Options In Tcpdump

Tcpdump command can be used to filter all different packets.

For more tcpdump command examples, please check here.

  • tcpdump -i any Capture from all interfaces
  • tcpdump -i eth0 Capture from specific interface ( Ex Eth0)
  • tcpdump -i eth0 -c 10 Capture first 10 packets and exit
  • tcpdump -D Show available interfaces
  • tcpdump -i eth0 -A Print in ASCII
  • tcpdump -i eth0 -w tcpdump.txt To save capture to a file
  • tcpdump -r tcpdump.txt Read and analyze saved capture file
  • tcpdump -n -i eth0 Do not resolve host names
  • tcpdump -nn -i eth0 Stop Domain name translation and lookups
  • tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
  • tcpdump -i eth0 port 80 Capture traffic from a defined port only
  • tcpdump host Capture packets from specific host
  • tcpdump net Capture files from network subnet
  • tcpdump src Capture from a specific source address
  • tcpdump dst Capture from a specific destination address
  • tcpdump port 80 Filter traffic based on a port
  • tcpdump portrange 21-125 Filter based on port range
  • tcpdump IPV6 Show only IPV6 packets

Advanced Logical Operators in Tcpdump

We can get more advanced tcpdump command examples from here.

  • tcpdump -n src and dst port 21 Combine filtering options
  • tcpdump dst or !icmp Either of the condition can match
  • tcpdump dst and not icmp Negation of the condition
  • tcpdump <32 Shows packets size less than 32
  • tcpdump >=32 Shows packets size greater than 32

Related Post:

Filtering DNS with Tcpdump

Filtering ICMP ICMPv6 Packets with Tcpdump

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.