Skip to main content

TCPdump Cheat Sheet

Basic Usage

# Capture on interface
tcpdump -i eth0

# List available interfaces
tcpdump -D

# Capture on all interfaces
tcpdump -i any

# Don't resolve hostnames (-n) or ports (-nn)
tcpdump -nn -i eth0

# Verbose output
tcpdump -v    # verbose
tcpdump -vv   # more verbose
tcpdump -vvv  # maximum verbosity

Saving & Reading Captures

# Write to file
tcpdump -i eth0 -w capture.pcap

# Read from file
tcpdump -r capture.pcap

# Write with rotation (10MB files, 5 files max)
tcpdump -i eth0 -w capture.pcap -C 10 -W 5

# Read and display as ASCII
tcpdump -r capture.pcap -A

Packet Count & Snapshot Length

# Capture only 100 packets
tcpdump -i eth0 -c 100

# Capture full packet (default snaplen is 262144)
tcpdump -i eth0 -s 0

# Capture only headers (68 bytes)
tcpdump -i eth0 -s 68

Filtering by Host

# Specific host (src or dst)
tcpdump host 192.168.1.1

# Only source
tcpdump src 192.168.1.1

# Only destination
tcpdump dst 192.168.1.1

# Network range
tcpdump net 192.168.1.0/24
tcpdump src net 10.0.0.0/8

Filtering by Port

# Specific port
tcpdump port 80
tcpdump port 443

# Source/destination port
tcpdump src port 1024
tcpdump dst port 22

# Port range
tcpdump portrange 8000-9000

# Exclude port
tcpdump not port 22

Filtering by Protocol

# TCP only
tcpdump tcp

# UDP only
tcpdump udp

# ICMP only
tcpdump icmp

# ARP
tcpdump arp

# IPv6
tcpdump ip6

TCP Flag Filters

# SYN packets (new connections)
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'

# SYN-ACK
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

# RST packets
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

# FIN packets
tcpdump 'tcp[tcpflags] & (tcp-fin) != 0'

Combining Filters

# AND
tcpdump host 192.168.1.1 and port 80

# OR
tcpdump port 80 or port 443

# NOT
tcpdump not arp

# Grouping
tcpdump 'host 192.168.1.1 and (port 80 or port 443)'

Useful One-Liners

# Capture HTTP traffic and show content
tcpdump -i eth0 -A -s 0 port 80

# Capture DNS queries
tcpdump -i eth0 -nn port 53

# Monitor new TCP connections
tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0'

# Capture credentials in plain text (HTTP/FTP/Telnet)
tcpdump -i eth0 -A -s 0 'port 21 or port 23 or port 80'

# Watch traffic between two hosts
tcpdump -i eth0 host 192.168.1.1 and host 192.168.1.2

# Capture HTTPS SNI (TLS ClientHello)
tcpdump -i eth0 -nn 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x16030100 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x16030300)'