tcpdump Cheatsheet

By Dejan Panovski Updated on Download PDF

Quick reference for capturing and filtering network packets with tcpdump in Linux

The `tcpdump` command captures and filters network packets from the command line. This cheatsheet covers interfaces, capture filters, protocol and host matching, writing to pcap files, and practical troubleshooting patterns.

Basic Syntax

Core tcpdump command forms.

CommandDescription
sudo tcpdumpStart capturing on the default interface
sudo tcpdump -i eth0Capture on a specific interface
sudo tcpdump -i anyCapture on all interfaces
sudo tcpdump -DList available interfaces
sudo tcpdump -hShow help and usage

Limit and Format Output

Control how much data is shown and how packets are displayed.

CommandDescription
sudo tcpdump -c 10Stop after 10 packets
sudo tcpdump -nDo not resolve hostnames
sudo tcpdump -nnDo not resolve hostnames or service names
sudo tcpdump -vVerbose output
sudo tcpdump -XShow packet contents in hex and ASCII

Protocol Filters

Capture only the protocol traffic you care about.

CommandDescription
sudo tcpdump tcpCapture TCP packets only
sudo tcpdump udpCapture UDP packets only
sudo tcpdump icmpCapture ICMP packets only
sudo tcpdump arpCapture ARP traffic
sudo tcpdump port 53Capture DNS traffic on port 53

Host and Port Filters

Match packets by source, destination, host, or port.

CommandDescription
sudo tcpdump host 192.168.1.10Capture traffic to or from one host
sudo tcpdump src host 192.168.1.10Capture packets from one source host
sudo tcpdump dst host 192.168.1.10Capture packets to one destination host
sudo tcpdump port 22Capture SSH traffic
sudo tcpdump src port 443Capture packets from source port 443

Combine Filters

Use boolean operators to build precise capture expressions.

CommandDescription
sudo tcpdump 'tcp and port 80'Capture HTTP traffic over TCP
sudo tcpdump 'host 10.0.0.5 and port 22'Capture SSH traffic for one host
sudo tcpdump 'src 10.0.0.5 and dst port 443'Match one source and HTTPS destination
sudo tcpdump 'port 80 or port 443'Capture HTTP or HTTPS traffic
sudo tcpdump 'net 192.168.1.0/24 and not port 22'Capture a subnet except SSH

Write and Read Capture Files

Save traffic to a file or inspect an existing pcap capture.

CommandDescription
sudo tcpdump -w capture.pcapWrite packets to a pcap file
sudo tcpdump -r capture.pcapRead packets from a pcap file
sudo tcpdump -i eth0 -w web.pcap port 80Save filtered traffic to a file
sudo tcpdump -nn -r capture.pcapRead a file without name resolution
sudo tcpdump -r capture.pcap 'host 10.0.0.5'Apply a filter while reading a pcap

Common Use Cases

Practical commands for day-to-day packet inspection.

CommandDescription
sudo tcpdump -i any port 22Watch SSH connections
sudo tcpdump -i any port 53Inspect DNS queries and replies
sudo tcpdump -i eth0 host 8.8.8.8Trace traffic to one external host
sudo tcpdump -i any 'tcp port 80 or tcp port 443'Watch web traffic
sudo tcpdump -i any icmpCheck ping and ICMP traffic

Troubleshooting

Quick checks for common tcpdump issues.

IssueCheck
You do not have permission to capture on that deviceRun with sudo or verify packet-capture capabilities
No packets appearConfirm the correct interface with tcpdump -D and use -i any if needed
Hostnames make output slowAdd -n or -nn to disable name resolution
Output is too noisyAdd -c, protocol filters, or host/port filters to narrow the capture
Need to inspect laterWrite to a file with -w capture.pcap and review it with tcpdump -r or Wireshark

Use these guides for broader networking and packet-capture workflows.

GuideDescription
tcpdump Command in LinuxFull tcpdump guide with detailed examples
ss Command in LinuxInspect sockets and listening services
ping cheatsheetTest reachability and latency
IP command cheatsheetCheck interfaces, addresses, and routes
How to Check Open Ports in LinuxReview listening ports before capturing traffic