Tcpdump Cheatsheet

tcpdump -i eth0
tcpdump host 192.0.2.1
 
# -nn: disable name resolution for ip/ports
tcpdump -nn -i any host 192.0.2.1 and port 80
 
# -A: show ASCII in packets
tcpdump -i any -A host 192.0.2.1 and port 80 | grep 'User-Agent'
 
# compound
tcpdump 'host ( 8.8.8.8 or 9.9.9.9) and port 80' -i any
 
tcpdump -i eth0 icmp and host 192.0.2.1
 
# write
tcpdump -w dump.pcap 
 
# read
tcpdump -r dump.pcap
 
# port matching
#   portrange 22-23
#   not port 22
#   port ssh
#   dst port 22
#   src port 22
 
# host matching
#   dst host 192.0.2.1
#   not dst host 192.0.2.1
#   src net 192.0.2.0 mask 255.255.255.0
#   src net 192.0.2.0/24
[ notes to myself ]

Explorer

Tcpdump Cheatsheet
