Tcpdump Cheat Sheet With Basic Advanced Examples
Updated: Jul 30
Tcpdump is a CLI tool to capture raw network packets. This tcpdump cheat sheet covers all the basic and advanced options for tcpdump command. It is very useful for various forms of network troubleshooting.
Purpose of Tcpdump
This tool is mainly used for troubleshooting network problems. For example, if we can have a DNS query issue, we can use this command to capture all the DNS packets to check out what happened. We will have more examples in the following tcpdump cheat sheet.
We can use this tool for the following purpose.
Troubleshoot network problems
Examine security problems
Debug protocol implementations
Learn network protocols
How to Run tcpdump?
We can run tcpdump in local server or remote server with an SSH session. It accepts many filters and allows us to display data about packets going in and out of an interface. We can also filter syntax which is very powerful.
When we run the tcpdump command without any options then it will capture packets of all the interfaces. We can stop or cancel the tcpdump command by typing “ctrl+c” .
Basic Packet Capturing Options In Tcpdump
Tcpdump command can be used to filter all different packets.
For more tcpdump command examples, please check here.
tcpdump -i any Capture from all interfaces
tcpdump -i eth0 Capture from specific interface ( Ex Eth0)
tcpdump -i eth0 -c 10 Capture first 10 packets and exit
tcpdump -D Show available interfaces
tcpdump -i eth0 -A Print in ASCII
tcpdump -i eth0 -w tcpdump.txt To save capture to a file
tcpdump -r tcpdump.txt Read and analyze saved capture file
tcpdump -n -i eth0 Do not resolve host names
tcpdump -nn -i eth0 Stop Domain name translation and lookups
tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
tcpdump -i eth0 port 80 Capture traffic from a defined port only
tcpdump host 192.168.1.100 Capture packets from specific host
tcpdump net 10.1.1.0/16 Capture files from network subnet
tcpdump src 10.1.1.100 Capture from a specific source address
tcpdump dst 10.1.1.100 Capture from a specific destination address
tcpdump port 80 Filter traffic based on a port
tcpdump portrange 21-125 Filter based on port range
tcpdump IPV6 Show only IPV6 packets
Advanced Logical Operators in Tcpdump
We can get more advanced tcpdump command examples from here.
tcpdump -n src 192.168.1.1 and dst port 21 Combine filtering options
tcpdump dst 10.1.1.1 or !icmp Either of the condition can match
tcpdump dst 10.1.1.1 and not icmp Negation of the condition
tcpdump <32 Shows packets size less than 32
tcpdump >=32 Shows packets size greater than 32