Tcpdump-cheat-sheet
Version vom 23. April 2025, 11:22 Uhr von Thomas.will (Diskussion | Beiträge)
| Befehl | Beschreibung |
|---|---|
tcpdump |
listen on the first non-loopback interface detected |
tcpdump -i eth0 |
capture packets on eth0 and display their content |
tcpdump -i eth0 -w my.pcap |
save packets received on eth0 to my.pcap |
tcpdump -i any |
capture packets from all available interfaces |
tcpdump tcp |
capture only tcp |
tcpdump udp |
capture only udp |
tcpdump icmp |
capture only icmp |
tcpdump arp |
capture only arp |
tcpdump src 10.0.0.1 |
capture traffic from 10.0.0.1 |
tcpdump port 80 |
capture traffic with either src/dst port 80 |
tcpdump dst net 10.1.1.0/24 |
capture traffic for specific subnet |
tcpdump tcp and src 10.0.0.1 and port 80 |
combine multiple filters |
tcpdump tcp dst portrange 22-1023 |
capture packets with port range |
tcpdump -vvv |
show protocol-specific info with full verbosity |
tcpdump -tt |
use UNIX timestamp as packet timestamp format |
tcpdump not port 22 |
capture all traffic except ssh traffic |
tcpdump -c 1000 |
capture the first 1000 packets only |
tcpdump -n |
do not convert IP addresses/ports to names |
tcpdump -e |
display layer-2 info such as MAC addresses |
tcpdump -X |
show payload content in hex/ASCII format |
tcpdump ip6 |
capture IPv6 packets only |
tcpdump 'tcp port 80 or udp port 67' |
use complex filters |
tcpdump greater 200 |
capture packets whose length > 200 |
tcpdump ether dst ff:ff:ff:ff:ff:ff |
capture layer-2 broadcast packets |
tcpdump 'tcp[13] == tcp-syn' |
capture TCP SYN packets |
| tcp-fin) != 0' | match TCP SYN or FIN |
tcpdump -e vlan 10 |
capture traffic with VLAN tag 10 |
tcpdump 'icmp[0] = 8' |
capture ICMP echo request packets (ping) |
tcpdump outbound |
capture only outbound traffic |