TcpDump Cheat sheet

Download TcpDump CheatSheet & Examples

You can use our TcpDump CheatSheet for free - just follow the link below! The downloaded file can be distributed in any way.


Please, contact us and send your questions about cyber security - Dhound experts are always ready to help with the security of your website!

Here is the list of most popular tcpdump that Dhound team use for production network troubleshooting or capture security events.

Tcpdump is a command line network packet sniffer for Linux-based systems. Tcpdump can be installed by default in some Linux distributions (just type in command line tcpdump), overwise, install it by the command.

apt-get install tcpdump

PS. Wireshark is one of the best network sniffers for Windows-based systems.

NOTE! IP addresses specified in commands are just examples.

  • track all UDP traffic initiated by host (useful to track DNS amplification attack)
    tcpdump -i any 'udp && src host' -vvnnS
  • track DNS traffic that comes on the host
    tcpdump -i any '(udp && port 53 && dst host' -vvnnS
  • track TCP SYN packages from host: host tries to make to initiate TCP connection with an external source
    tcpdump -i any '((tcp[tcpflags] == tcp-syn) && src' -vvnnS
  • track TCP SYN-ACK packages to host: external resources sent acknowledge about opening TCP connection
    tcpdump -i any '(tcp[13] = 18 and dst host' -vvnnS
  • track traffic into Redis and write all packets into pcap file (pcap file can be opened in Wireshark then for analysis)
    tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap
  • track all UDP output traffic except DNS
    tcpdump -i any '(udp and not dst port 53 and src host' -vvnnS
  • track all traffic with particular host with writing it into pcap file (pcap file can be opened in Wireshark then for analysis)
    tcpdump -i any 'host' -vvnnS -w host-172-31-71-88.pcap
  • track all traffic on host except SSH, HTTPS, DNS, RabbitMQ, arp traffic
    tcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS

Usefull tcpdump parameters:

  • D – show all interfaces
  • i - interface
  • nn – without resolving hostname and ports
  • vv - verbose output
  • S - get entire package

See Also