Tcpdump Cheatsheet

Command-line packet analyzer for capturing and inspecting network traffic

Updated at: March 10, 2025

Basic Capture Syntax

Tcpdump is a powerful command-line packet analyzer that captures and displays network traffic. The basic syntax allows you to filter packets by protocol, interface, count, and display options to precisely target the traffic you need.

Host and Network Filters

Host and network filters in tcpdump allow you to capture traffic to or from specific IP addresses, networks, or MAC addresses. These filters help narrow down packet capture to relevant traffic, making analysis more efficient.

Port Filters

Port filters in tcpdump allow you to capture traffic based on TCP/UDP port numbers. You can filter by specific source or destination ports, port ranges, or use service names. These filters are essential for isolating application-specific traffic and troubleshooting network issues related to particular services.

Packet Size and Content Filters

Tcpdump allows filtering packets based on their size and content, enabling precise capture of specific network traffic. These filters examine packet headers, payloads, and protocol-specific fields to match traffic patterns of interest.

Advanced Expression Operators

Tcpdump supports Boolean logic operators to create complex filter expressions, allowing you to precisely target specific network traffic. These operators can be combined with parentheses to control evaluation precedence and build sophisticated capture filters.

Output Control and Formatting

Control how tcpdump displays captured packets with various formatting options. These options help tailor the output to your specific troubleshooting needs, from detailed packet inspection to concise summaries.

Saving and Reading Captures

Tcpdump can save network traffic to files for later analysis and read from previously captured files. This enables offline packet analysis, sharing captures with others, and working with large datasets that can be processed in smaller chunks.