Skip to content

This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!


tcpdump

tcpdump is a command line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.

Reference(s)

Table of contents


Install

# emerge --ask net-analyzer/tcpdump
# pacman -S tcpdump
# apt install tcpdump
# yum install tcpdump
# dnf install tcpdump

Config

In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the tcpdump group:

# USE="suid" emerge -a --changed-use tcpdump
# usermod -a -G tcpdump <username>

In order for normal users to run tcpdump user(s) should be added to the tcpdump group:

# usermod -a -G tcpdump <username>


Use

  • List available interfaces:

    $ tcpdump --list-interfaces
    $ tcpdump -D
    

  • Listen to a specific interface:

    $ tcpdump -i <interface_name>
    

  • Write output to a file:

    $ tcpdump -w /tmp/output
    

  • Read input from file:

    $ tcpdump -r /tmp/input
    

  • Capture for the next 42 packets only:

    $ tcpdump -c 42
    

  • Print packets in ASCII format:

    $ tcpdump -A
    

  • Print packets (header AND DATA) in HEX and ASCII:

    $ tcpdump -XX
    

  • Print IP address not names

    $ tcpdump -n
    

  • Capture only TCP packets:

    $ tcpdump tcp
    

  • Capture only UDP packets:

    $ tcpdump udp
    

  • Capture only from source IP (e.g. 50.116.66.139):

    $ tcpdump src 50.116.66.139
    

  • Capture only packets to destination IP (e.g. 50.116.66.139):

    $ tcpdump dst 50.116.66.139
    

  • Capture packets from a specific port (e.g. 22):

    $ tcpdump port 22
    

  • Capture packets from a specific port range (e.g. 5064-5065):

    $ tcpdump portrange 5064-5065
    

  • Capture packets from a specific host and port (e.g. 10.0.0.0 and 22):

    $ tcpdump host 10.0.0.0 and port 22
    

  • Print an optional packet number at the beginning of the line:

    $ tcpdump --number
    

  • Print less protocol information so output lines are shorter:

    $ tcpdump -q
    


If this cheat sheet has been useful to you, then please consider leaving a star here.