Created Sun May, 26 2019 at 01:06AM


Dump everything coming into the interface

tcpdump -i eth0

Filter ICMP traffic showing MAC addresses

This is useful when testing static routing. Like when you set a route through a firewall and want to ensure it's really being sent to the right location.

sudo tcpdump icmp -e -v

Filter by MAC Address

sudo tcpdump ether dst ff:ee:b4:71:cb:33 -e -v

Filter by IP

tcpdump host

Filter by Source / Destination IP

tcpdump src 
tcpdump dst

Filtering by entire network

tcpdump net

Packet Contents / Hex Dump

tcpdump -c 1 -X icmp

Filter by port

tcpdump port 3389 
tcpdump src port 1025

Filter by protocol

tcpdump icmp

Filter only IPv6 Traffic

tcpdump ip6

Filter by packet size

tcpdump less 32 
tcpdump greater 64 
tcpdump <= 128

Reading / Writing (Pcap) Packet Captures to file

tcpdump port 80 -w capture_file.pcap
# Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
tcpdump -r capture_file.pcap

Here are some additional tcpdump options.

Flag Function
-X Show the packet’s contents in both hex and ascii.
-XX Same as -X, but also shows the ethernet header.
-D Show the list of available interfaces
-l Line-readable output (for viewing as you save, or sending to other commands)
-q Be less verbose (more quiet) with your output.
-t Give human-readable timestamp output.
-tttt Give maximally human-readable timestamp output.
-i eth0 Listen on the eth0 interface.
-vv Verbose output (more v’s gives more output).
-c Only get x number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are inte
-S Print absolute sequence numbers.
-e Get the ethernet header as well.
-q Show less protocol information.
-E Decrypt IPSEC traffic by providing an encryption key.


All traffic from going to any host on port 3389

tcpdump -nnvvS src and dst port 3389

From one network to another

tcpdump -nvX src net and dst net or

All non-icmp traffic

tcpdump dst and src net and not icmp
sudo tcpdump host -i eth1 -vv

DNS traffic

tcpdump -vvAs0 port 53

FTP traffic

tcpdump -vvAs0 port ftp or ftp-data

NTP traffic

tcpdump -vvAs0 port 123

"Evil bit" traffic

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

tcpdump 'ip[6] & 128 != 0'

Find cleartext credentials

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '