search
githubEdit

tcpdump cheat sheet for netadmins/sysadmins

A quick-reference guide for packet capture, filtering, and network analysis using TCPDump—essential for netadmins and sysadmins troubleshooting connectivity, monitoring traffic, and diagnosing security issues.

This cheat sheet covers:

Basic & advanced packet captureFiltering by host, port, protocol, and moreOutput customization & performance tuningReal-world use cases (HTTP, DNS, SSH, etc.)

hashtag
TCPDump Cheat Sheet for NetAdmins & SysAdmins

Packet Capture, Filtering, and Analysis

hashtag
1. Basic Capture

hashtag
Capture on Any Interface

sh

tcpdump -i any

  • -i any: Listen on all interfaces.

hashtag
Capture on Specific Interface

sh

tcpdump -i eth0

  • -i eth0: Listen on eth0.

hashtag
Save Capture to File

sh

  • -w: Write raw packets to file (.pcap format).

hashtag
Read from a PCAP File

sh

  • -r: Read from a saved capture file.

hashtag
Limit Number of Packets

sh

  • -c 100: Capture only 100 packets.

hashtag
2. Filtering Traffic

hashtag
Filter by Host (IP)

sh

  • Capture traffic to/from 192.168.1.100.

hashtag
Filter by Source/Destination IP

sh

  • src: Only source IP.

  • dst: Only destination IP.

hashtag
Filter by Port

sh

  • port: Single port.

  • portrange: Range of ports.

hashtag
Filter by Protocol

sh

  • Capture only specific protocols.

hashtag
Filter by Network (CIDR)

sh

  • Capture traffic within a subnet.

hashtag
Combine Filters (AND/OR)

sh

  • Use and, or, not for complex filters.

hashtag
3. Advanced Filtering (BPF Syntax)

hashtag
Filter by TCP Flags

sh

  • tcp-syn: SYN packets.

  • tcp-ack: ACK packets.

  • tcp-rst: RST packets.

hashtag
Filter by Packet Size

sh

  • greater: Packets larger than X bytes.

  • less: Packets smaller than X bytes.

hashtag
Filter by MAC Address

sh

  • Capture traffic to/from a MAC address.

hashtag
Filter VLAN Traffic

sh

  • Capture traffic on VLAN 100.

hashtag
4. Output & Verbosity

hashtag
Show IPs Instead of Hostnames

sh

  • -n: Disable DNS resolution (faster).

hashtag
Verbose Output

sh

  • -v: More details (checksum, TTL, etc.).

hashtag
Print Packet Contents (Hex & ASCII)

sh

  • -XX: Full packet hex dump.

hashtag
Show Absolute Sequence Numbers

sh

  • -S: Displays raw TCP sequence numbers.

hashtag
Timestamps

sh

  • -tttt: Human-readable timestamps.

hashtag
5. Advanced Capture & Analysis

hashtag
Capture Only HTTP Traffic

sh

  • -A: Print ASCII (useful for HTTP headers).

hashtag
Capture FTP Passwords (Cleartext)

sh

  • FTP sends credentials in plaintext.

hashtag
Capture DNS Queries

sh

  • Monitor DNS requests/responses.

hashtag
Capture ICMP (Ping/Traceroute)

sh

  • Useful for troubleshooting connectivity.

hashtag
Capture Only SYN Packets (New Connections)

sh

  • Filters TCP SYN packets (new connections).

hashtag
6. Performance & Storage Optimization

hashtag
Limit Packet Size

sh

  • -s 96: Capture only first 96 bytes (reduces size).

hashtag
Rotate Capture Files

sh

  • -G 3600: Rotate file every hour.

hashtag
Stop After X MB

sh

  • -C 100: Split files every 100MB.

hashtag
Run in Background

sh

  • &: Run in background (use jobs to check).

hashtag
7. Common Use Cases

Task

Command

Capture HTTP traffic

tcpdump -i eth0 port 80 -A

Capture SSH traffic

tcpdump -i eth0 port 22

Find suspicious IPs

tcpdump -n "src net 192.168.1.0/24"

Monitor VoIP (SIP/RTP)

tcpdump -i eth0 port 5060 or portrange 10000-20000

Detect ARP Spoofing

tcpdump -i eth0 arp

hashtag
8. Quick Reference Table

Option

Description

-i eth0

Listen on eth0

-w file.pcap

Save to file

-r file.pcap

Read from file

-c 100

Capture 100 packets

-n

Disable DNS lookup

-v

Verbose output

-XX

Hex + ASCII dump

src/dst

Filter by source/dest

port 80

Filter by port

icmp/tcp/udp

Filter by protocol

Pro Tips: ✔ Use -n for faster captures (avoids DNS lookups). ✔ Combine with grep for deeper analysis:

sh

✔ Always verify permissions before capturing (sudo often required).

For More:

hashtag
tcpdump’s offensive use cases with command examples

1. Sniffing Plaintext Credentials

Purpose: Capture unencrypted usernames, passwords, or session tokens.

Commands & Techniques

  • HTTP Basic Auth:

    sh

    • Filters HTTP traffic for AUTH strings (Base64 credentials).

  • FTP/Telnet Credentials:

    sh

    • Captures FTP/Telnet login attempts in plaintext.

2. Reconnaissance (Network Mapping)

Purpose: Identify live hosts, open ports, and services.

Commands & Techniques

  • Detect ARP Requests (Local Network):

    sh

    • Lists devices on the same subnet.

  • Capture ICMP (Ping Sweeps):

    sh

    • Reveals hosts responding to ping probes.

3. Man-in-the-Middle (MitM) Attacks

Purpose: Intercept/modify traffic between two parties.

Commands & Techniques

  • ARP Spoofing Traffic Capture:

    sh

    • Captures all traffic to/from a victim IP (after ARP poisoning).

  • Session Hijacking (Cookies):

    sh

    • Filters HTTP traffic for COOK (cookie headers).

4. Exploit Development Support

Purpose: Analyze protocols/apps for vulnerabilities.

Commands & Techniques

  • Capture Vulnerable Protocols:

    sh

    • Captures SNMP (UDP/161) traffic for protocol analysis.

  • Detect Buffer Overflow Patterns:

    sh

    • Inspects large payloads sent to a custom service (e.g., for crash analysis).

5. Data Exfiltration Monitoring

Purpose: Identify data being smuggled out of a network.

Commands & Techniques

  • DNS Tunneling Detection:

    sh

    • Flags long DNS queries (possible tunneling).

  • HTTP File Uploads:

    sh

    • Captures HTTP POST requests (file uploads).

Key Takeaways

  • Offensive Power: tcpdump can be weaponized for stealthy attacks.

  • Critical Mitigation:

    • Encrypt all traffic (SSH/TLS/IPSec).

    • Use VLANs/port security to limit sniffing.

    • Monitor for unauthorized tcpdump processes.

PreviousOpenVAS cheat sheet for netadmins/sysadminsNexttcpdump: Defensive or offensive?

Last updated