// tcpdump
tcpdump Cheatsheet
BPF filter syntax, the flags worth memorizing, and a starter recipe book for live and offline packet analysis.
Updated
Starter recipes
List capture interfaces
tcpdump -D
Watch all DNS traffic
tcpdump -i any -nn -s 0 'udp port 53 or tcp port 53'
Capture HTTPS handshake from one client
tcpdump -i eth0 -nn 'host 10.0.0.42 and tcp port 443' -w https.pcap
SYNs only — see who's knocking
tcpdump -i any -nn 'tcp[tcpflags] == tcp-syn'
Rotate captures every 60s, keep 10 files
tcpdump -i eth0 -nn -G 60 -W 10 -w 'cap-%H%M%S.pcap'
Filter expressions (BPF)
| Expression | Matches |
|---|---|
| host 10.0.0.5 | Any traffic to or from 10.0.0.5. |
| src host 10.0.0.5 | Only packets sourced from that IP. |
| dst host 10.0.0.5 | Only packets destined to that IP. |
| net 10.0.0.0/24 | Any host in the subnet. |
| port 443 | TCP or UDP traffic on port 443. |
| tcp port 22 | Only SSH (TCP/22). |
| portrange 8000-8100 | Range of ports. |
| icmp | Only ICMP (ping, unreachables). |
| arp | Only ARP frames. |
| vlan 100 | Tagged VLAN 100. Use 'vlan' alone for any tag. |
| ether host aa:bb:cc:dd:ee:ff | MAC-level filter. |
| tcp[tcpflags] & tcp-syn != 0 | Any packet with SYN bit set. |
| tcp[tcpflags] == tcp-syn | SYN only (no ACK) — connection attempts. |
| tcp[tcpflags] & (tcp-rst|tcp-fin) != 0 | Connection teardown / reset. |
| host A and host B | Conversation between two hosts. |
| host A and not port 22 | Boolean: AND, OR, NOT supported. |
| '(port 80 or port 443) and host A' | Quote complex filters in shells. |
| greater 1500 | Packets larger than 1500 bytes (jumbo / MTU debug). |
Flags
| Flag | Purpose |
|---|---|
| -i <iface> | Capture on interface (eth0, any, en0...). |
| -n | No DNS resolution. Always use this — DNS makes captures slow. |
| -nn | Also skip port→service lookup. |
| -c <count> | Stop after N packets. |
| -w file.pcap | Write raw capture to a pcap file (open in Wireshark). |
| -r file.pcap | Read from a pcap file instead of live capture. |
| -s 0 | Capture full packets (default snaplen on old versions was small). |
| -v / -vv / -vvv | Verbosity. -vv shows TTL, IP id, options. |
| -X | Print payload in hex + ASCII. Use -A for ASCII only. |
| -e | Include link-level (Ethernet/MAC) headers. |
| -tttt | Human-readable absolute timestamps. |
| -Z root | Stay as root after dropping privs (some distros). |
| -G <sec> -W <n> | Rotate output file every N seconds, keep W files. |
FAQ
- Why does my tcpdump show nothing?
- Three usual culprits: wrong interface (try -i any), capture is filtered out by your expression, or the traffic is on a different VLAN/bridge. Run tcpdump -D to list interfaces.
- How do I capture both directions of a conversation?
- Use 'host A and host B' or 'src A and dst B or src B and dst A'. The simpler 'host' form catches both directions automatically.
- How do I capture for Wireshark to analyze later?
- tcpdump -i eth0 -nn -s 0 -w capture.pcap 'tcp port 443'. Open capture.pcap in Wireshark on your laptop. Always set -s 0 so payloads aren't truncated.
- Can tcpdump decrypt TLS?
- No. You need the session keys. Capture with tcpdump, then in Wireshark load the SSLKEYLOGFILE produced by your client (browsers and curl can write one).