The Ultimate tcpdump Cheat Sheet 2024

tcpdump cheat sheet

Have you ever wondered how to monitor network traffic using the command line? Do you want to capture packets automatically when away from your workstation? Or maybe you might want the computer to analyze network data as a scheduled task? Learning to use tcpdump will prove valuable if these sound like what’s on your mind. 

This tcpdump cheat sheet will help you get familiar with the appropriate tcpdump filters and commands to use in various situations. We first present the tcpdump switches and commands available, followed by usage examples of each tcpdump command. Getting the syntax right is important if you want to use tcpdump effectively.

Download a PDF copy of this tcpdump cheat sheet for your records here, and scroll below to find a list of the ​common commands in tcpdump.

TCPDump Cheat Sheet Search

Search our TCPDump cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.

What Is TCPDump?

tcpdump is a command-line tool used to capture traffic on the network and analyze captured packets of data passing through your machine.

Its functionality is similar to Wireshark, but it’s especially helpful when you can’t access a graphical user interface and when automation is essential. Therefore, you can run tcpdump on remote servers or devices on demand or as a scheduled background job as part of an executable script.

Several Linux distributions come pre-loaded with tcpdump; if not, use the distribution’s package manager to install tcpdump. You can find the location of tcpdump on your operating system with the command which tcpdump.

Capture Commands

Use the following commands to capture data packets.

CommandExample usageExplanation
-i anytcpdump -i anyCapture from all interfaces; may require superuser (sudo/su)
-i eth0tcpdump -i eth0Capture from the interface eth0
-c counttcpdump -i eth0 -c 5Exit after receiving count (5) packets
-r captures.pcaptcpdump -i eth0 -r captures.pcapRead and analyze saved capture file captures.pcap
tcptcpdump -i eth0 tcpShow TCP packets only
udptcpdump -i eth0 udpShow UDP packets only
icmptcpdump -i eth0 icmpShow ICMP packets only
iptcpdump -i eth0 ipShow IPv4 packets only
ip6tcpdump -i eth0 ip6Show IPv6 packets only
arptcpdump -i eth0 arpShow ARP packets only
rarptcpdump -i eth0 rarpShow RARP packets only
sliptcpdump -i eth0 slipShow SLIP packets only
-Itcpdump -i eth0 -ISet interface as monitor mode
-Ktcpdump -i eth0 -KDon’t verify checksum
-ptcpdump -i eth0 -pDon’t capture in promiscuous mode

Filter Commands

You can add special filter expressions to the tcpdump keyword to pick out specific packets. They’re especially helpful when you want to analyze saved packet capture files. Each filter expression is a single- or multi-word parameter and its argument, separated by spaces. You may also apply logical operators to combine two filter expressions.

In the following examples, we’re using 127.0.0.1 as a placeholder for IPv4/IPv6 addresses.

Filter expressionExplanation
src host 127.0.0.1Filter by source IP/hostname 127.0.0.1
dst host 127.0.0.1Filter by destination IP/hostname 127.0.0.1
host 127.0.0.1Filter by source or destination = 127.0.0.1
ether src 01:23:45:AB:CD:EFFilter by source MAC 01:23:45:AB:CD:EF
ether dst 01:23:45:AB:CD:EFFilter by destination MAC 01:23:45:AB:CD:EF
ether host 01:23:45:AB:CD:EFFilter by source or destination MAC 01:23:45:AB:CD:EF
src net 127.0.0.1Filter by source network location 127.0.0.1
dst net 127.0.0.1Filter by destination network location 127.0.0.1
net 127.0.0.1Filter by source or destination network location 127.0.0.1
net 127.0.0.1/24Filter by source or destination network location 127.0.0.1 with the tcpdump subnet mask of length 24
src port 80Filter by source port = 80
dst port 80Filter by destination port = 80
port 80Filter by source or destination port = 80
src portrange 80-400Filter by source port value between 80 and 400
dst portrange 80-400Filter by destination port value between 80 and 400
portrange 80-400Filter by source or destination port value between 80 and 400
ether broadcastFilter for Ethernet broadcasts
ip broadcastFilter for IPv4 broadcasts
ether multicastFilter for Ethernet multicasts
ip multicastFilter for IPv4 multicasts
ip6 multicastFilter for IPv6 multicasts
ip src host mydeviceFilter by IPv4 source hostname mydevice
arp dst host mycarFilter by ARP destination hostname mycar
rarp src host 127.0.0.1Filter by RARP source 127.0.0.1
ip6 dst host mywatchFilter by IPv6 destination hostname mywatch
tcp dst port 8000Filter by destination TCP port = 8000
udp src portrange 1000-2000Filter by source TCP ports in 1000–2000
sctp port 22Filter by source or destination port = 22

For details on how filter expressions work, go to the tcpdump website.

TCPdump Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Tcpdump commands! With our Tcpdump Command Generator, you can simply say what you need Tcpdump to do, and we will generate the command for you.

Display Commands

These tcpdump switches tell the terminal how to display the output.

CommandExampleExplanation
-Atcpdump -i eth0 -APrint each packet (minus its link level header) in ASCII. Handy for capturing web pages.

Screenshot with ASCII (sudo tcpdump twitter)
Without -A

Screenshot without ASCII (sudo tcpdump -A twitter)
With -A
-Dtcpdump -DPrint the list of the network interfaces available on the system and on which tcpdump can capture packets.

Output of tcpdump -D
-etcpdump -i eth0 -ePrint the link-level header on each output line, such as MAC layer addresses for protocols such as Ethernet and IEEE 802.11.
-F params.conftcpdump -i eth0 -F /path/to/params.confUse the file params.conf as input for the filter expression. (Ignore other expressions on the command line.)
-ntcpdump -i eth0 -nDon't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-Stcpdump -i eth0 -SPrint absolute, rather than relative, TCP sequence numbers. (Absolute TCP sequence numbers are longer.)
--time-stamp-precision=tsptcpdump -i eth0 --time-stamp-precision=nanoWhen capturing, set the timestamp precision for the capture to tsp:
micro for microsecond (default)
nano for nanosecond.
-ttcpdump -i eth0 -tOmit the timestamp on each output line.
-tttcpdump -i eth0 -ttPrint the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.
-ttttcpdump -i eth0 -tttPrint a delta (microsecond or nanosecond resolution depending on the --time-stamp-precision option) between the current and previous line on each output line. The default is microsecond resolution.
-tttttcpdump -i eth0 -ttttPrint a timestamp as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.
-ttttttcpdump -i eth0 -tttttPrint a delta (microsecond or nanosecond resolution depending on the --time-stamp-precision option) between the current and first line on each dump line. The default is microsecond resolution.
-utcpdump -i eth0 -uPrint undecoded network file system (NFS) handles.
-vtcpdump -i eth0 -vProduce verbose output.
When writing to a file (-w option) and at the same time not reading from a file (-r option), report to standard error, once per second, the number of packets captured.
-vvtcpdump -i eth0 -vvAdditional verbose output than -v
-vvvtcpdump -i eth0 -vvvAdditional verbose output than -vv
-xtcpdump -i eth0 -xPrint the headers and data of each packet (minus its link level header) in hex.
-xxtcpdump -i eth0 -xxPrint the headers and data of each packet, including its link level header, in hex.
-Xtcpdump -i eth0 -XPrint the headers and data of each packet (minus its link level header) in hex and ASCII.
-XXtcpdump -i eth0 -XXPrint the headers and data of each packet, including its link level header, in hex and ASCII.

Output Commands

Customize your tcpdump output with the following commands.

CommandExampleExplanation
-w captures.pcaptcpdump -i eth0 -w captures.pcapOutput capture to a file captures.pcap
-dtcpdump -i eth0 -dDisplay human-readable form in standard output
-Ltcpdump -i eth0 -LDisplay data link types for the interface
-qtcpdump -i eth0 -qQuick/quiet output. Print less protocol information, so output lines are shorter.
-Utcpdump -i eth0 -U -w out.pcapWithout -w option
Print a description of each packet's contents.
With -w option
Write each packet to the output file out.pcap in real time rather than only when the output buffer fills.

Miscellaneous Commands

The following commands don’t fall into the categories above.

Here are logical operators that tcpdump uses, with 127.0.0.1 as a placeholder for IPv4/IPv6 addresses:

OperatorSyntaxExampleDescription
ANDand, &&tcpdump -n src 127.0.0.1 and dst port 21Combine filtering options joined by “and”
ORor, ||tcpdump dst 127.0.0.1 or src port 22Match any of the conditions joined by “or”
EXCEPTnot, !tcpdump dst 127.0.0.1 and not icmpNegate the condition prefixed by “not”
LESSless, <, (<=)tcpdump dst host 127.0.0.1 and less 128Shows packets shorter than (or equal to) 128 bytes in length.
< only applies to length 32, i.e., <32.
GREATERgreater, >, (>=)tcpdump dst host 127.0.0.1 and greater 64Shows packets longer than (or equal to) 64 bytes in length.
> only applies to length 32, i.e., >32.
EQUAL=, ==tcpdump host 127.0.0.1 = 0Show packets with zero length

Example Usage

In the examples below, we craft specific commands by combining tcpdump switches and tcpdump filters.

ExampleExplanation
tcpdump -r outfile.pcap src host 10.0.2.15Print all packets in the file outfile.pcap coming from the host with IP address 10.0.2.15
tcpdump -i any ip and not tcp port 80Listen for non-HTTP packets (which have TCP port number 80) on any network interface
tcpdump -i eth0 -n >32 -w pv01.pcap -c 30Save 30 packets of length exceeding 32 bytes to captures.pcap without DNS resolution on the eth0 network interface
tcpdump -AtuvX icmpCapture ICMP traffic and print ICMP packets in hex and ASCII and the following features:
With:
• headers
• data
• undecoded NFS handles
Without:
• link level headers
• timestamps.
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'Print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.

Conclusion

We hope this tcpdump cheat sheet has been a handy guide in your studies and work. Remember to check out our networking courses and articles on networking.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Cassandra Lee

    Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.

  • taotaonie says:

    it’s very useful, thk you

  • >