Ultimate Tcpdump Cheat Sheet

Ultimate Tcpdump Cheat Sheet

The standard command-line packet analyzer for packet capturing and filtering.

Jump To Section

• Basic Capture
• File Operations
• Display Options
• Core Filters
• Logic & Direction
• Advanced One-Liners

1. Basic Capture

Start listening on an interface immediately. Requires Root/Sudo.

List Interfaces

tcpdump -D

Listen on Interface

Capture packets on eth0.

tcpdump -i eth0

Listen on All Interfaces

tcpdump -i any

Limit Count (-c)

Stop after capturing 10 packets (otherwise it runs forever).

tcpdump -i eth0 -c 10

2. File Operations (PCAP)

Always save your captures to a .pcap file so you can analyze them in Wireshark later.

Write to File (-w)

tcpdump -i eth0 -w capture.pcap

Read from File (-r)

Analyze a saved file instead of live traffic.

tcpdump -r capture.pcap

Snapshot Length (-s)

By default, tcpdump might truncate large packets. Use -s 0 to capture the full packet size.

tcpdump -i eth0 -s 0 -w full_packets.pcap

3. Display Options

Control how the packets look in your terminal.

Flag	Description
-n	No DNS Resolution. Shows IPs (1.2.3.4) instead of names (google.com). Faster.
-nn	No Port Resolution. Shows port numbers (80) instead of names (http).
-v, -vv, -vvv	Verbosity. Increases the amount of detail shown per packet.
-A	ASCII. Print packet payload in ASCII (Great for reading Web traffic).
-X	HEX & ASCII. Print payload in both Hex and ASCII.
-t	No Timestamp. Removes the timestamp for cleaner output.

Example: Readable Web Traffic

tcpdump -i eth0 -nn -A

4. Core Filters (BPF)

Tcpdump uses "Berkeley Packet Filters". These are the most important part of the tool.

Host Filtering

tcpdump host 192.168.1.5

Network Filtering

tcpdump net 192.168.1.0/24

Port Filtering

tcpdump port 80

tcpdump portrange 1-1024

Protocol Filtering

Simply type the protocol name.

tcpdump icmp

tcpdump udp

tcpdump tcp

5. Logic & Direction

Combine multiple filters using and, or, and not.

Source or Destination

tcpdump src 192.168.1.100

tcpdump dst 192.168.1.100

Combining (AND)

Traffic coming from IP 1.2.3.4 AND going to port 80.

tcpdump src 1.2.3.4 and port 80

Excluding (NOT)

Capture everything EXCEPT SSH traffic.

tcpdump not port 22

Complex Logic

Note: When using parenthesis `()`, wrap the filter in quotes to avoid shell errors.

tcpdump "src 10.0.0.1 and (port 80 or port 443)"

6. Advanced One-Liners

Ready-to-use commands for specific scenarios.

HTTP User Agents

Extract User-Agents from HTTP traffic.

tcpdump -nn -A -s1500 -l | grep "User-Agent:"

Capture Cleartext Passwords

Look for "pass", "user", or "login" in the payload.

tcpdump port 80 -l -A | grep -i -B5 -A5 'pass\|user\|login'

Detect Syn Scan

Look for packets with only the SYN flag set.

tcpdump "tcp[tcpflags] & (tcp-syn) != 0"

Isolate HTTP GET Requests

tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

⇧