« Back to Cheat sheets

tcpdump cheat sheet

To see all network traffic happening on a Linux system or the network, the tcpdump tool is a seasoned tool for the task. For network engineers it might be easy to use, but for the average person the amount of options might be overwhelming. This cheat sheet dives into what tcpdump can do, with examples that are often used to troubleshoot issues and monitor the network.

Basic options

Some of the common options to use on tcpdump include:

Short optionLong optionWhat the option does
-i IFACE--interface=IFACESelect IFACE as the interface on which to capture
-D--list-interfacesShow available interfaces that can be used
-nDo not resolve hostnames, protocols, etc.
-qQuick/quiet output
-r FILE.pcapRead an earlier packet capture session
-vVerbose output
-vvMore verbose
-vvvMost verbose
-w FILE.pcapStore the captured packets in a file

Creating a shell script? Then we suggest using the long format option, as this improves the readability. For quick use of on the command-line consider using the short notation of the related option.

Filter expressions

By only providing options, tcpdump will display all relevant captured packets. This is typically not what we want, especially when we want to zoom in on a specific host or protocol. For this purpose tcpdump uses filter expressions.

FilterIntended goalExample
hostFilter by source or destination hosttcpdump host 10.0.1.1
portFilter by port number or service nametcpdump port 80
src hostFilter by source hosttcpdump src host 10.2.3.1

Operators

In the filter expressions it is common to combine multiple filters. For example, one of the communicating hosts in combination with a port. Some of the operators include:

  • not (!)
  • and (&&)
  • or (||)
  • less (<)
  • greater (>)

If two filters need to match, we can use with an AND operator:

tcpdump host 10.2.3.1 and port 80

When we throw in a ’not’, we can see all traffic for one host, except SSH traffic using a combination:

tcpdump host 10.4.2.3 and not port 22

Protocols

Some protocols can be defined as-is, limiting output to only those protocols.

  • icmp
  • tcp
  • udp

Interfaces and traffic isolation

Typically a system has more than one interface available. To prevent being overloaded with too much traffic, it is wise to isolate the traffic. This can be done with the --interface= by defining the specific interface on which network packets is captured.

Show available interfaces

Modern Linux distributions have typically more interfaces than you would initially think. Use the option --list-interfaces to display all available interfaces, including those for netfilter, Bluetooth, D-Bus.

# tcpdump --list-interfaces
1.ens3 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.dbus-system (D-Bus system bus) [none]
8.dbus-session (D-Bus session bus) [none]

Capture on all interfaces

To capture traffic on all interface, use ‘any’ as value.

tcpdump -n -i any

Reducing output

For troubleshooting and a first analysis, it may be useful to limit the amount of output. With option -c a count can be set and reduced the number of captured packets.

tcpdump -n -c 10

Increasing output details

tcpdump -nvv port 80

Filter packets

By host

When zooming in on a particular system, we can use host and specify the related host.

tcpdump -n host 192.168.178.16

Only looking for packets coming from a specific host? Add the src statement as well.

tcpdump -n src host 192.168.1.19

By port

Define the port by its protocol name or number. For HTTP connections we could use:

tcpdump -n port http

Or its alternative, by port number:

tcpdump -n port 80

By protocol

Looking for all TCP connections to or from a system? Set the filter to tcp and all other protocols will be ignored.

tcpdump -n tcp

TCP flags

New connections using TCP have multiple flags available, each depending on the state of the connection. Newly created connections have the SYN flag active, so are a great way to filter out all new connections.

tcpdump -i ens18 -n 'tcp[tcpflags] == tcp-syn'

We can also filter specifically the SYN/ACK state, which happens at the beginning.

tcpdump -i ens18 'tcp[13] = 18'

The value 13 comes from the TCP header. In byte 13 the TCP flags are stored.

Useful values to know

  • URG = 32
  • ACK = 16
  • PSH = 8
  • RST = 4
  • SYN = 2
  • FIN = 1

So seeing all TCP connections that come to an end (finish):

# tcpdump 'tcp[13] & 1 != 0'
09:30:53.270658 IP 192.168.1.11.33392 > 192.168.1.12.22: Flags [F.], seq 2535494855, ack 1906495977, win 501, options [nop,nop,TS val 3548246170 ecr 1901198083], length 0

ARP

tcpdump -n ether proto 0x0806

or easier:

tcpdump -n arp

IPv6

tcpdump ip6

Packet size

We can also filter on size, which is in the case of tcpdump the total length. This includes link layer, IP, and for example TCP headers.

tcpdump -n len greater 1000

Depending on the protocol, you have to carefully look (and monitor) what intended length you are searching for. See UDP example below.

UDP

UDP does not have a length specified, so if you are looking to filter for those specifically, a little bit of size counting is needed.

  • IP header is at a minimum 20 bytes and 60 bytes maximum
  • UDP header is 8 bytes
  • UDP payload

So to filter for very small UDP packets of 4 bytes or less (20+8+4=32), we can use:

tcpdump -n 'ip[2:2] <= 32 and udp'

Combining filters

See all traffic of a particular host, but ignore the SSH connection.

tcpdump -n host 192.168.178.16 and port not 22

Using files

Using filters from a file

When doing repeating captures, the option -F helps to get a filter expression from an external file. This is very useful for constructing more specific filters that are harder to remember.

tcpdump -n -c 10 -F tcpdump-filter-arp-only

Store output in a file

Tcpdump allows to store a capture in a PCAP file. This file format can be used with other programs, like Wireshark.

tcpdump -n -c 10 -w for-later-analysis.pcap

To read the packet capture, tcpdump can also be used again.

tcpdump -r for-later-analysis.pcap

Relevant articles using tcpdump command

The following articles include an example on how to use tcpdump and might be worth further exploring.

    Liked this cheat sheet? There are more!

    Feedback

    Small picture of Michael Boelen

    This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

    Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

    Mastodon icon