All the tables provided in the PDF and JPG of the cheat sheet are also presented in tables below which are easy to copy and paste.
The tcpdump cheat sheet covers:
- Installation commands
- Packet capturing options
- Logical operators
- Display/Output options
- Protocols
- Common commands with protocols for filtering captures
See also: 10 Best Packet Analyzers
View or Download the Cheat Sheet JPG image
Right-click on the image below to save the JPG file (2500 width x 1803 height in pixels), or click here to open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized JPG.
View or Download the cheat sheet PDF file
You can download the PDF file here. When it opens in a new browser tab, simply right-click on the PDF and navigate to the download/save selection, usually located in the top right-hand corner of the screen.
Related post: What is tcpdump?
What’s included in the cheat sheet
The following categories and items have been included in the cheat sheet:
Installation commands
Installation Commands |
|
---|---|
CENT OS and REDHAT | $ sudo yum install tcpdump |
Fedora | $ dnf install tcpdump |
Ubuntu, Debian and Linux Mint | #apt-get install tcpdump |
Packet capturing options
Packet Capturing Options |
||
---|---|---|
Switch | Syntax | Description |
-i any | tcpdump -i any | Capture from all interfaces |
-i eth0 | tcpdump -i eth0 | Capture from specific interface ( Ex Eth0) |
-c | tcpdump -i eth0 -c 10 | Capture first 10 packets and exit |
-D | tcpdump -D | Show available interfaces |
-A | tcpdump -i eth0 -A | Print in ASCII |
-w | tcpdump -i eth0 -w tcpdump.txt | To save capture to a file |
-r | tcpdump -r tcpdump.txt | Read and analyze saved capture file |
-n | tcpdump -n -I eth0 | Do not resolve host names |
-nn | tcpdump -n -i eth0 | Stop Domain name translation and lookups (Host names or port names ) |
tcp | tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp | Capture TCP packets only |
port | tcpdump -i eth0 port 80 | Capture traffic from a defined port only |
host | tcpdump host 192.168.1.100 | Capture packets from specific host |
net | tcpdump net 10.1.1.0/16 | Capture files from network subnet |
src | tcpdump src 10.1.1.100 | Capture from a specific source address |
dst | tcpdump dst 10.1.1.100 | Capture from a specific destination address |
<service> | tcpdump http | Filter traffic based on a port number for a service |
<port> | tcpdump port 80 | Filter traffic based on a service |
port range | tcpdump portrange 21-125 | Filter based on port range |
-S | tcpdump -S http | Display entire packet |
ipv6 | tcpdunp -IPV6 | Show only IPV6 packets |
-d | tcpdump -d tcpdump.pcap | display human readable form in standard output |
-F | tcpdump -F tcpdump.pcap | Use the given file as input for filter |
-I | tcpdump -I eth0 | set interface as monitor mode |
-L | tcpdump -L | Display data link types for the interface |
-N | tcpdump -N tcpdump.pcap | not printing domian names |
-K | tcpdump -K tcpdump.pcap | Do not verify checksum |
-p | tcpdump -p -i eth0 | Not capturing in promiscuous mode |
Logical operators
Logical Operators |
|||
---|---|---|---|
Operator | Syntax | Example | Description |
AND | and, && | tcpdump -n src 192.168.1.1 and dst port 21 | Combine filtering options |
OR | or, || | tcpdump dst 10.1.1.1Â ||Â !icmp | Either of the condition can match |
EXCEPT | not, ! | tcpdump dst 10.1.1.1 and not icmp | Negation of the condition |
LESS | < | tcpdump <32 | Shows packets size less than 32 |
GREATER | > | tcpdump >=32 | Shows packets size greater than 32 |
Display/Output options
Display / Output Options |
|
---|---|
Switch | Description |
-q | Quite and less verbose mode display less details |
-t | Do not print time stamp details in dump |
-v | Little verbose output |
-vv | More verbose output |
-vvv | Most verbose output |
-x | Print data and headers in HEX format |
-xx | Print data with link headers in HEX format |
-X | Print output in HEX and ASCII format excluding link headers |
-XX | Print output in HEX and ASCII format including link headers |
-e | Print Link (Ethernet) headers |
-S | Print sequence numbers in exact format |
Protocols
Protocols |
|||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ether, fddi, icmp ,ip, ip6 , ppp, radio, rarp, slip, tcp , udp, wlan |
Common commands with protocols for filtering captures
Common Commands with Protocols for Filtering Captures |
|
---|---|
src/ dsthost (host name or IP) | Filter by source or destination IP address or host |
ether src/ dst host (ethernet host name or IP) | Ethernet host filtering by source or destination |
src/ dstnet (subnet mask in CIDR) | Filter by subnet |
tcp/udp src/dst port ( port number) | Filter TCP or UDP packets by source or destination port |
tcp/udp src/dst port range ( port number range) | Filter TCP or UDP packets by source or destination port range |
ether/ip broadcast | Filter for Ethernet or IP broadcasts |
ether/ip multicast | Filter for Ethernet or IP multicasts |
tcpdump FAQs
How do you filter MAC addresses using tcpdump?
Use the host option on the tcpdump command to limit output to a specific MAC address: tcpdump ether host aa:bb:cc:11:22:33
How do I use tcpdump on a specific port?
Use the port option on the tcpdump command to specify a port: tcpdump ether port 80
How do you read tcpdump output?
There is a read option on tcpdump, which is represented by the switch -r as in: tcpdump -r file_path_and_name