tcpdump Cheat Sheet header

All the tables provided in the PDF and JPG of the cheat sheet are also presented in tables below which are easy to copy and paste.

The tcpdump cheat sheet covers:

  • Installation commands
  • Packet capturing options
  • Logical operators
  • Display/Output options
  • Protocols
  • Common commands with protocols for filtering captures

See also: 10 Best Packet Analyzers

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file (2500 width x 1803 height in pixels), or click here to open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized JPG.

tcpdump cheat sheet

View or Download the cheat sheet PDF file

You can download the PDF file here. When it opens in a new browser tab, simply right-click on the PDF and navigate to the download/save selection, usually located in the top right-hand corner of the screen.

Related post: What is tcpdump?

What’s included in the cheat sheet

The following categories and items have been included in the cheat sheet:

Installation commands

Installation Commands


$ sudo yum install tcpdump


$ dnf install tcpdump

Ubuntu, Debian and Linux Mint

#apt-get install tcpdump

Packet capturing options

Packet Capturing Options




-i any

tcpdump -i any

Capture from all interfaces

-i eth0

tcpdump -i eth0

Capture from specific interface ( Ex Eth0)


tcpdump -i eth0 -c 10

Capture first 10 packets and exit


tcpdump -D

Show available interfaces


tcpdump -i eth0 -A

Print in ASCII


tcpdump -i eth0 -w tcpdump.txt

To save capture to a file


tcpdump -r tcpdump.txt

Read and analyze saved capture file


tcpdump -n -I eth0

Do not resolve host names


tcpdump -n -i eth0

Stop Domain name translation and lookups (Host names or port names )


tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp

Capture TCP packets only


tcpdump -i eth0 port 80

Capture traffic from a defined port only


tcpdump host

Capture packets from specific host


tcpdump net

Capture files from network subnet


tcpdump src

Capture from a specific source address


tcpdump dst

Capture from a specific destination address


tcpdump http

Filter traffic based on a port number for a service


tcpdump port 80

Filter traffic based on a service

port range

tcpdump portrange 21-125

Filter based on port range


tcpdump -S http

Display entire packet


tcpdunp -IPV6

Show only IPV6 packets


tcpdump -d tcpdump.pcap

display human readable form in standard output


tcpdump -F tcpdump.pcap

Use the given file as input for filter


tcpdump -I eth0

set interface as monitor mode


tcpdump -L

Display data link types for the interface


tcpdump -N tcpdump.pcap

not printing domian names


tcpdump -K tcpdump.pcap

Do not verify checksum


tcpdump -p -i eth0

Not capturing in promiscuous mode

Logical operators

Logical Operators






and, &&

tcpdump -n src and dst port 21

Combine filtering options


or, ||

tcpdump dst || !icmp

Either of the condition can match


not, !

tcpdump dst and not icmp

Negation of the condition



tcpdump <32

Shows packets size less than 32



tcpdump >=32

Shows packets size greater than 32

Display/Output options

Display / Output Options




Quite and less verbose mode display less details


Do not print time stamp details in dump


Little verbose output


More verbose output


Most verbose output


Print data and headers in HEX format


Print data with link headers in HEX format


Print output in HEX and ASCII format excluding link headers


Print output in HEX and ASCII format including link headers


Print Link (Ethernet) headers


Print sequence numbers in exact format



Ether, fddi, icmp ,ip, ip6 , ppp, radio, rarp, slip, tcp , udp, wlan

Common commands with protocols for filtering captures

Common Commands with Protocols for Filtering Captures

src/ dsthost (host name or IP)

Filter by source or destination IP address or host

ether src/ dst host (ethernet host name or IP)

Ethernet host filtering by source or destination

src/ dstnet (subnet mask in CIDR)

Filter by subnet

tcp/udp src/dst port ( port number)

Filter TCP or UDP packets by source or destination port

tcp/udp src/dst port range ( port number range)

Filter TCP or UDP packets by source or destination port range

ether/ip broadcast

Filter for Ethernet or IP broadcasts

ether/ip multicast

Filter for Ethernet or IP multicasts

tcpdump FAQs

How do you filter MAC addresses using tcpdump?

Use the host option on the tcpdump command to limit output to a specific MAC address: tcpdump ether host aa:bb:cc:11:22:33

How do I use tcpdump on a specific port?

Use the port option on the tcpdump command to specify a port: tcpdump ether port 80

How do you read tcpdump output?

There is a read option on tcpdump, which is represented by the switch -r as in: tcpdump -r file_path_and_name