tcpdump cheatsheet
Switch | Syntax | Description
----------- | -------------------------- | ----------------------------------
-A | tcpdump -i eth0 -A | Print in ASCII
-c | tcpdump -i eth0 -c 10 | Capture first 10 packets
-D | tcpdump -D | Show available interfaces
-i any | tcpdump -i any | Capture from all interfaces
-i eth0 | tcpdump -i eth0 | Capture from specific interface
-w | tcpdump -i eth0 -w out.txt | Save capture to file
-r | tcpdump -r tcpdump.txt | Read capture file
-n | tcpdump -n -I eth0 | Don't resolve host names...
-nn | tcpdump -n -i eth0 | ...and also no port translation
tcp | tcpdump -i eth0 tcp | Capture TCP packets only
port | tcpdump -i eth0 port 80 | Capture packets on port
host | tcpdump host 192.168.1.100 | Capture packets to/from host
net | tcpdump net 10.1.1.0/16 | Capture packets to/from network
src | tcpdump src 10.1.1.100 | Capture packets from source
dst | tcpdump dst 10.1.1.100 | Capture packets to destination
<service> | tcpdump http | Filter based on a service
<port> | tcpdump port 80 | Filter based on a port number
<portrange> | tcpdump portrange 21-125 | Filter based on a port range
-S | tcpdump -S http | Show entire packet
-d | tcpdump -d tcpdump.pcap | Human readable in standard output
-F | tcpdump -F tcpdump.pcap | Use file as input for filter
-I | tcpdump -I eth0 | Put interface in monitor mode
-L | tcpdump -L | List data link types for interface
-N | tcpdump -N tcpdump.pcap | Don't print domain names
-K | tcpdump -K tcpdump.pcap | Don't verify checksum
-p | tcpdump -p -i eth0 | Don't put the interface into
| | promiscuous mode.
Logical Operators
Operator | Syntax | Example
----------- | --------- | ----------------------------------------------
AND | and, && | tcpdump -n src 192.168.1.1 and dst port 21
OR | or, || | tcpdump dst 10.1.1.1 || !icmp
EXCEPT | not, ! | tcpdump dst 10.1.1.1 and not icmp
LESS | < | tcpdump <32 # packets size less than 32
GREATER | > | tcpdump >=32 # packets size greater than 32
Output
Switch | Description
----------- | ----------------------------------------------------------
-q | Quiet mode
-t | Don't print time stamps
-v | A little more verbose
-vv | More verbose output
-vvv | Much more verbose output
-x | Print data and headers in HEX format
-xx | Print data with link headers in HEX format
-X | Print data in HEX and ASCII format
-XX | Print data with link headers in HEX and ASCII format
-e | Print ethernet link headers
-S | Print sequence numbers in exact format
Protocols
ether
fddi
icmp
ip
ip6
ppp
radio
rarp
slip
tcp
udp
wlan