tcpdump cheatsheet

Basic usage

Example

tcpdump -i eth0 -nn -s0 -v port 80

Options:

  • -i - select network interface
  • -nn - do not resolve host and port names
  • -s0 - set unlimited packet size
  • -v - verbose output
  • port 80 - capture traffic on port 80

Save to file

tcpdump -i eth0 -s0 -w test.pcap

Filters

Capture TCP traffic

tcpdump -i eth0 tcp

Capture UDP

tcpdump -i eth0 udp

SYN only

tcpdump -n -i eth1 "tcp[tcpflags] & tcp-syn != 0"

SYN or SYN ACK

tcpdump -n -i eth1 "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Host

tcpdump -i eth1 -nn -XX host 10.0.0.1

Source/destination

tcpdump -i eth0 src 10.10.1.20
tcpdump -i eth0 dst 10.10.1.20

Port

tcpdump -i eth0 port 3389

Displaying

Display packets in hex

tcpdump -i eth1 -nn

Display ASCII text

tcpdump -A -s0 port 80

Examples

Capture ICMP packets

tcpdump -n icmp

Capture SNMP

tcpdump -n -s0  port 161 and udp

FTP

tcpdump -nn -v port ftp or ftp-data

DNS

tcpdump -i eth1 -s0 port 53

Capture HTTP GET packets

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Capture HTTP POST packets

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

References