tcpdump

Commands

Print Version

tcpdump --version

Prints a list of usable network interfaces to capture from:

tcpdump -D

Utilizes the interface specified to capture on:

tcpdump -i InterfaceName

Do Not Resolve Hostnames:

tcpdump -n

Do Not Resolve Hostnames or Ports:

tcpdump -nn

Capture Ethernet Headers and Data:

tcpdump -e

Show Packet Contents in Hex and ASCII:

tcpdump -X

Show Ethernet Header + Packet Contents in Hex and ASCII

tcpdump -XX

Increase Verbosity:

tcpdump -v
tcpdump -vv
tcpdump -vvv

Show Absolute Sequence Numbers in TCP:

tcpdump -S

Reduce Protocol Information in the Output:

tcpdump -q

Runs a capture on the specified interface and writes the output to a file:

tcpdump -i InterfaceName -w file.pcap

Read the output from a specified file:

tcpdump -r file.pcap

Write Packets to a File

tcpdump -w capture_file.pcap

Filters

Combine Filters Using AND (&&)

tcpdump src host 192.168.1.1 && port 80

Combine Filters Using OR (or)

tcpdump src host 192.168.1.1 or dst host 192.168.1.2

Exclude Specific Traffic Using NOT (not)

tcpdump not udp

Capture a Specific Number of Packets:

tcpdump -c 10

Limit the Amount of Data to Capture from Each Packet:

tcpdump -s 64

Filter by Packet Size:

tcpdump greater 1000
tcpdump less 500

Filter by Source or Destination Host:

tcpdump src host 192.168.1.1
tcpdump dst host 192.168.1.1

Filter by Network

tcpdump net 192.168.1.0/24

Only capture traffic originating from or destined to the IP address or hostname specified:

tcpdump -i (int) host (ip)

Will filter the capture for anything sourcing from or destined to port:

tcpdump -i (int) port (#)

Filter by Port Range

tcpdump portrange 1000-2000

Will utilize a protocols common name to filter the traffic captured:

tcpdump -i (int) proto ICMP

Will filter the capture for any protocol traffic matching their code:

tcpdump -i (int) proto 6

Protocol Number List

Last updated 5 months ago