xutil.dev
Login

tcpdump Cheatsheet

Quick reference for tcpdump commands covering packet capture, host/port/protocol filters, output options, advanced filters, and BPF syntax

Related Categories:Network

59 commands

tcpdump

Start capture on default interface

tcpdump -i {iface}

Capture on specific interface

tcpdump -i any

Capture on all interfaces

tcpdump -c {n}

Capture n packets then stop

tcpdump -D

List available interfaces

tcpdump -s {size}

Set snapshot length in bytes

tcpdump -s 0

Capture full packet

tcpdump -q

Quiet output (less protocol info)

tcpdump -e

Print link-level header

tcpdump host {ip}

Capture traffic to/from host

tcpdump src host {ip}

Filter by source host

tcpdump dst host {ip}

Filter by destination host

tcpdump net {cidr}

Filter by network range

tcpdump src net {cidr}

Filter by source network

tcpdump dst net {cidr}

Filter by destination network

tcpdump host A and host B

Traffic between two hosts

tcpdump not host {ip}

Exclude specific host

tcpdump port {n}

Capture traffic on specific port

tcpdump src port {n}

Filter by source port

tcpdump dst port {n}

Filter by destination port

tcpdump portrange {a}-{b}

Filter by port range

tcpdump port 80 or port 443

Filter multiple ports (OR)

tcpdump not port 22

Exclude specific port

tcpdump host {ip} and port {n}

Combined host and port filter

tcpdump tcp

Capture TCP packets only

tcpdump udp

Capture UDP packets only

tcpdump icmp

Capture ICMP packets only

tcpdump arp

Capture ARP packets only

tcpdump ip6

Capture IPv6 packets only

tcpdump vlan

Capture VLAN tagged packets

tcpdump 'tcp[tcpflags] & tcp-syn != 0'

TCP packets with SYN flag

tcpdump 'tcp[tcpflags] & tcp-rst != 0'

TCP packets with RST flag

tcpdump -w {file}

Write capture to pcap file

tcpdump -r {file}

Read from pcap file

tcpdump -n

Don't resolve hostnames

tcpdump -nn

Don't resolve hostnames or port names

tcpdump -t

Don't print timestamp

tcpdump -tt

Print Unix timestamp

tcpdump -ttt

Print delta between packets

tcpdump -v

Verbose output

tcpdump -vv

More verbose output

tcpdump -X

Print packet data in hex and ASCII

tcpdump -A

Print packet data in ASCII

tcpdump -C {size}

Rotate file at size (MB)

tcpdump -W {count}

Limit number of rotated files

tcpdump -G {sec}

Rotate file every n seconds

tcpdump -Z {user}

Drop privileges to specified user

tcpdump -l

Line-buffered mode (for piping)

tcpdump -K

Skip checksum verification

tcpdump -S

Print absolute TCP sequence numbers

and / &&

Logical AND

or / ||

Logical OR

not / !

Logical NOT

greater {n}

Packets greater than n bytes

less {n}

Packets less than n bytes

tcp[13] == 2

SYN packets only (TCP flag offset)

tcp[13] == 18

SYN-ACK packets only

tcp[13] & 4 != 0

Packets with RST flag set

ip[6:2] & 0x1fff != 0

Fragmented packets