Skip to content


Tcpdump is a command line tool that is used to dump traffic on a network. This tool comes in handy when you want to analyse network captures within the command line. Basically, it can do most of the wireshark job.


Installation Commands


$ sudo yum install tcpdump



$ dnf install tcpdump


Ubuntu, Debian and Linux Mint

apt-get install tcpdump


Packet Capturing Options

tcpdump -i any

Capture from all interfaces


tcpdump -i eth0

Capture from specific interface ( Ex Eth0)


tcpdump -i eth0 -c 10

Capture first 10 packets and exit


tcpdump -D

Show available interfaces


tcpdump -i eth0 -A

Print in ASCII



tcpdump -i eth0 -w tcpdump.txt

To save capture to a file


tcpdump -r tcpdump.txt

Read and analyze saved capture file


tcpdump -n -I eth0

Do not resolve host names


tcpdump -n -i eth0

Stop Domain name translation and lookups (Host names or port names )


tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp

Capture TCP packets only


tcpdump -i eth0 port 80

Capture traffic from a defined port only


tcpdump host

Capture packets from specific host


tcpdump net

Capture files from network subnet


tcpdump src

Capture from a specific source address


tcpdump dst

Capture from a specific destination address



tcpdump http

Filter traffic based on a port number for a service


tcpdump port 80

Filter traffic based on a service


tcpdump portrange 21-125

Filter based on port range


tcpdump -S http

Display entire packet


tcpdunp -IPV6

Show only IPV6 packets


tcpdump -d tcpdump.pcap

display human readable form in standard output


tcpdump -F tcpdump.pcap

Use the given file as input for filter


tcpdump -I eth0

set interface as monitor mode


tcpdump -L

Display data link types for the interface


tcpdump -N tcpdump.pcap

not printing domian names



tcpdump -K tcpdump.pcap

Do not verify checksum


tcpdump -p -i eth0

Not capturing in promiscuous mode


Logical Operators


tcpdump <32

Shows packets size less than 32



tcpdump >=32

Shows packets size greater than 32


and, &&

tcpdump -n src and dst port 21

Combine filtering options


not, !

tcpdump dst and not icmp

Negation of the condition


or, ||

tcpdump dst && !icmp

Either of the condition can match


Display Options

-q           Quite and less verbose mode display less details

-t            Do not print time stamp details in dump

-v           Little verbose output

-vv         More verbose output

-vvv       Most verbose output

-x           Print data and headers in HEX format

-xx         Print data with link headers in HEX format

-X           Print output in HEX and ASCII format excluding link headers

-XX         Print output in HEX and ASCII format including link headers

-e           Print Link (Ethernet) headers

-S           Print sequence numbers in exact format



track all UDP traffic initiated by host (useful to track DNS amplification attack)

tcpdump -i any 'udp && src host' -vvnnS


track DNS traffic that comes on the host

tcpdump -i any '(udp && port 53 && dst host' -vvnnS


track TCP SYN packages from host: host tries to make to initiate TCP connection with an external source

tcpdump -i any '((tcp[tcpflags] == tcp-syn) && src' -vvnnS


track TCP SYN-ACK packages to host: external resources sent acknowledge about opening TCP connection

tcpdump -i any '(tcp[13] = 18 and dst host' -vvnnS


track traffic into Redis and write all packets into pcap file (pcap file can be opened in Wireshark then for analysis)

tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap


track all UDP output traffic except DNS

tcpdump -i any '(udp and not dst port 53 and src host' -vvnnS


track all traffic with particular host with writing it into pcap file (pcap file can be opened in Wireshark then for analysis)

tcpdump -i any 'host' -vvnnS -w host-172-31-71-88.pcap


track all traffic on host except SSH, HTTPS, DNS, RabbitMQ, arp traffic

tcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS


Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'


Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'


Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'


Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'


Find SSH Connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'


Find DNS Traffic

tcpdump -vvAs0 port 53


Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data


Find NTP Traffic

tcpdump -vvAs0 port 123