tcpdump is a powerful and widely-used command-line packet analyzer that allows users to capture and analyze network traffic in real-time. Originally developed for Unix in 1988, the software is now also available for Linux, macOS, and Windows. Here’s a detailed look at its functionality and features:
Functionality:
- Packet Capture: tcpdump captures packets from a network interface and displays their content in a readable format. It supports a variety of protocols, making it versatile for different network environments.
- Filtering: Users can apply filters using the Berkley Packet Filter (BPF) syntax to capture only the specific traffic they are interested in. This is especially useful for focusing on particular types of network activity without being overwhelmed by all the data.
- Analysis: The tool provides detailed information about each packet, such as source and destination IP addresses, ports, protocols, and payload data. This helps in diagnosing network issues, understanding traffic patterns, and detecting potential security threats.
Features:
- Real-time Monitoring: tcpdump displays packet data as it is captured, allowing for immediate analysis and troubleshooting.
- Scripting and Automation: Its command-line interface makes it suitable for integration into scripts and automated workflows, enhancing its utility in continuous monitoring and alerting systems.
- Cross-Platform Support: While primarily used on Unix-based systems, versions are available for Windows through the use of software like WinDump.
- Lightweight and Efficient: tcpdump is resource-efficient, making it suitable for use on servers and devices with limited processing power.
Although the command line format of tcpdump is difficult to use, those who take the time to become covenant with its usage find it is is an essential tool for network administrators. In recent years, the capabilities of the tool have also become useful for security professionals who need to monitor, diagnose, and secure their networks effectively.
All the tables provided in the PDF and JPG of the cheat sheet are also presented in tables below which are easy to copy and paste.
The tcpdump cheat sheet covers:
- Installation commands
- Packet capturing options
- Logical operators
- Display/Output options
- Protocols
- Common commands with protocols for filtering captures
See also: 10 Best Packet Analyzers
Download the tcpdump Cheat Sheet
Related post: What is tcpdump?
What’s included in the cheat sheet
The following categories and items have been included in the cheat sheet:
Installation commands
Installation Commands |
|
|---|---|
CENT OS and REDHAT | $ sudo yum install tcpdump |
Fedora | $ dnf install tcpdump |
Ubuntu, Debian and Linux Mint | #apt-get install tcpdump |
Packet capturing options
Packet Capturing Options |
||
|---|---|---|
Switch | Syntax | Description |
-i any | tcpdump -i any | Capture from all interfaces |
-i eth0 | tcpdump -i eth0 | Capture from specific interface ( Ex Eth0) |
-c | tcpdump -i eth0 -c 10 | Capture first 10 packets and exit |
-D | tcpdump -D | Show available interfaces |
-A | tcpdump -i eth0 -A | Print in ASCII |
-w | tcpdump -i eth0 -w tcpdump.txt | To save capture to a file |
-r | tcpdump -r tcpdump.txt | Read and analyze saved capture file |
-n | tcpdump -n -I eth0 | Do not resolve host names |
-nn | tcpdump -n -i eth0 | Stop Domain name translation and lookups (Host names or port names ) |
tcp | tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp | Capture TCP packets only |
port | tcpdump -i eth0 port 80 | Capture traffic from a defined port only |
host | tcpdump host 192.168.1.100 | Capture packets from specific host |
net | tcpdump net 10.1.1.0/16 | Capture files from network subnet |
src | tcpdump src 10.1.1.100 | Capture from a specific source address |
dst | tcpdump dst 10.1.1.100 | Capture from a specific destination address |
<service> | tcpdump http | Filter traffic based on a port number for a service |
<port> | tcpdump port 80 | Filter traffic based on a service |
port range | tcpdump portrange 21-125 | Filter based on port range |
-S | tcpdump -S http | Display entire packet |
ipv6 | tcpdunp -IPV6 | Show only IPV6 packets |
-d | tcpdump -d tcpdump.pcap | display human readable form in standard output |
-F | tcpdump -F tcpdump.pcap | Use the given file as input for filter |
-I | tcpdump -I eth0 | set interface as monitor mode |
-L | tcpdump -L | Display data link types for the interface |
-N | tcpdump -N tcpdump.pcap | not printing domian names |
-K | tcpdump -K tcpdump.pcap | Do not verify checksum |
-p | tcpdump -p -i eth0 | Not capturing in promiscuous mode |
Logical operators
Logical Operators |
|||
|---|---|---|---|
Operator | Syntax | Example | Description |
AND | and, && | tcpdump -n src 192.168.1.1 and dst port 21 | Combine filtering options |
OR | or, || | tcpdump dst 10.1.1.1 || !icmp | Either of the condition can match |
EXCEPT | not, ! | tcpdump dst 10.1.1.1 and not icmp | Negation of the condition |
LESS | < | tcpdump <32 | Shows packets size less than 32 |
GREATER | > | tcpdump >=32 | Shows packets size greater than 32 |
Display/Output options
Display / Output Options |
|
|---|---|
Switch | Description |
-q | Quite and less verbose mode display less details |
-t | Do not print time stamp details in dump |
-v | Little verbose output |
-vv | More verbose output |
-vvv | Most verbose output |
-x | Print data and headers in HEX format |
-xx | Print data with link headers in HEX format |
-X | Print output in HEX and ASCII format excluding link headers |
-XX | Print output in HEX and ASCII format including link headers |
-e | Print Link (Ethernet) headers |
-S | Print sequence numbers in exact format |
Protocols
Protocols |
|||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ether, fddi, icmp ,ip, ip6 , ppp, radio, rarp, slip, tcp , udp, wlan |
Common commands with protocols for filtering captures
Common Commands with Protocols for Filtering Captures |
|
|---|---|
src/ dsthost (host name or IP) | Filter by source or destination IP address or host |
ether src/ dst host (ethernet host name or IP) | Ethernet host filtering by source or destination |
src/ dstnet (subnet mask in CIDR) | Filter by subnet |
tcp/udp src/dst port ( port number) | Filter TCP or UDP packets by source or destination port |
tcp/udp src/dst port range ( port number range) | Filter TCP or UDP packets by source or destination port range |
ether/ip broadcast | Filter for Ethernet or IP broadcasts |
ether/ip multicast | Filter for Ethernet or IP multicasts |
tcpdump FAQs
How do you filter MAC addresses using tcpdump?
Use the host option on the tcpdump command to limit output to a specific MAC address: tcpdump ether host aa:bb:cc:11:22:33
How do I use tcpdump on a specific port?
Use the port option on the tcpdump command to specify a port: tcpdump ether port 80
How do you read tcpdump output?
There is a read option on tcpdump, which is represented by the switch -r as in: tcpdump -r file_path_and_name
