Tcpdump is a CLI tool to capture raw network packets. This tcpdump cheat sheet covers all the basic and advanced options for tcpdump command. It is very useful for various forms of network troubleshooting.
Purpose of Tcpdump
This tool is mainly used for troubleshooting network problems. For example, if we can have a DNS query issue, we can use this command to capture all the DNS packets to check out what happened. We will have more examples in the following tcpdump cheat sheet.
We can use this tool for the following purpose.
- Troubleshoot network problems
- Examine security problems
- Debug protocol implementations
- Learn network protocols
How to Run tcpdump?
We can run tcpdump in local server or remote server with an SSH session. It accepts many filters and allows us to display data about packets going in and out of an interface. We can also filter syntax which is very powerful.
When we run the tcpdump command without any options then it will capture packets of all the interfaces. We can stop or cancel the tcpdump command by typing “ctrl+c” .
Basic Packet Capturing Options In Tcpdump
Tcpdump command can be used to filter all different packets.
For more tcpdump command examples, please check here.
- tcpdump -i any Capture from all interfaces
- tcpdump -i eth0 Capture from specific interface ( Ex Eth0)
- tcpdump -i eth0 -c 10 Capture first 10 packets and exit
- tcpdump -D Show available interfaces
- tcpdump -i eth0 -A Print in ASCII
- tcpdump -i eth0 -w tcpdump.txt To save capture to a file
- tcpdump -r tcpdump.txt Read and analyze saved capture file
- tcpdump -n -i eth0 Do not resolve host names
- tcpdump -nn -i eth0 Stop Domain name translation and lookups
- tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
- tcpdump -i eth0 port 80 Capture traffic from a defined port only
- tcpdump host 192.168.1.100 Capture packets from specific host
- tcpdump net 10.1.1.0/16 Capture files from network subnet
- tcpdump src 10.1.1.100 Capture from a specific source address
- tcpdump dst 10.1.1.100 Capture from a specific destination address
- tcpdump port 80 Filter traffic based on a port
- tcpdump portrange 21-125 Filter based on port range
- tcpdump IPV6 Show only IPV6 packets
Advanced Logical Operators in Tcpdump
We can get more advanced tcpdump command examples from here.
- tcpdump -n src 192.168.1.1 and dst port 21 Combine filtering options
- tcpdump dst 10.1.1.1 or !icmp Either of the condition can match
- tcpdump dst 10.1.1.1 and not icmp Negation of the condition
- tcpdump <32 Shows packets size less than 32
- tcpdump >=32 Shows packets size greater than 32