CyberCheatsheets

tcpdump Cheat Sheet

Command-line packet capture and filtering for authorized network analysis and troubleshooting.

Network & ProtocolcapturepcapsniffingUpdated 2026-06-02

Overview

tcpdump captures live traffic to PCAP or stdout with Berkeley Packet Filter (BPF) expressions. Use on authorized networks for credential protocol analysis, troubleshooting, and evidence collection.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y tcpdump

Essential commands

List interfaces

sudo tcpdump -D

Capture on interface, write pcap

sudo tcpdump -i eth0 -w capture.pcap

Capture HTTP (cleartext) on port 80

sudo tcpdump -i eth0 -A 'tcp port 80'

Quick one-liners

List available capture interfaces

sudo tcpdump -D

Save all traffic on an interface to PCAP

sudo tcpdump -i eth0 -w capture.pcap

Capture HTTPS to one host only

sudo tcpdump -i eth0 host target.example and port 443 -w https_target.pcap

Watch SMB traffic live

sudo tcpdump -i eth0 'tcp port 445' -n

Filter and read an existing PCAP

tcpdump -r capture.pcap -n 'host 10.10.10.5'

Common workflows

Capture during pentest phase —

sudo tcpdump -i eth0 host target.example and port 443 -w https_target.pcap
sudo tcpdump -i any 'net 10.10.10.0/24' -w internal_subnet.pcap

Filter by protocol and port —

sudo tcpdump -i eth0 'tcp port 445 or port 139' -n
sudo tcpdump -i eth0 'udp port 53' -n
sudo tcpdump -i eth0 'icmp' -n

SMB / LDAP / Kerberos (authorized AD assessments) —

sudo tcpdump -i eth0 'port 445' -w smb.pcap
sudo tcpdump -i eth0 'port 88 or port 389 or port 636' -w ad_auth.pcap

Read existing pcap —

tcpdump -r capture.pcap -n 'host 10.10.10.5'
tcpdump -r capture.pcap -A 'tcp port 80' | less

Rotate large captures —

sudo tcpdump -i eth0 -w cap.pcap -C 100 -W 10

Flags reference

-i IF

Interface

-w FILE

Write PCAP

-r FILE

Read PCAP

-n

No DNS resolution

-nn

No DNS or port names

-A

ASCII payload

-X

Hex + ASCII

-c N

Stop after N packets

-s SNAPLEN

Capture length (0 = full)

-C SIZE

Rotate file size (MB)

-W COUNT

Max rotate files

-v/-vv/-vvv

Verbose

host, net, port

BPF filters

Tips

  • Run with -s 0 (snaplen 0) on modern tcpdump for full packets unless storage is tight.
  • Combine with Wireshark: wireshark capture.pcap.
  • On busy links, narrow BPF (host x and port y) to avoid huge files.
  • Promiscuous mode: -i eth0 -p disables promisc if needed.

References

Chuletas relacionadas