Articles

tcpdump Cheatsheet: Most Useful Commands for Every Task (2026)

April 6, 2026 3 min read

tcpdump can feel like a black box, but it’s really just a packet-level observer that lets you see the raw conversations happening on your network interfaces.

Here’s how to get it to show you what you need:

Capturing All Traffic on an Interface

This is your starting point. You’ll want to see everything flying by.

sudo tcpdump -i eth0
  • -i eth0: This tells tcpdump to listen on the eth0 interface. Replace eth0 with your actual network interface name (e.g., enp0s3, wlan0). You can find your interfaces with ip a or ifconfig.

Filtering by Host

You’re usually interested in traffic to or from a specific machine.

sudo tcpdump -i eth0 host 192.168.1.100
  • host 192.168.1.100: This captures packets where either the source or destination IP address is 192.168.1.100.

Filtering by Port

Often, you’re looking at a specific service.

sudo tcpdump -i eth0 port 80
  • port 80: This shows traffic where either the source or destination port is 80 (HTTP). You can use dst port 80 to see only traffic going to port 80.

Combining Filters

You can get very precise by chaining conditions.

sudo tcpdump -i eth0 host 192.168.1.100 and port 443
  • and: Combines filters. This captures traffic to or from 192.168.1.100 AND on port 443 (HTTPS). You can also use or and not.

Saving Traffic to a File

Live capture is good, but saving lets you analyze later.

sudo tcpdump -i eth0 -w capture.pcap
  • -w capture.pcap: Writes the captured packets to a file named capture.pcap. This file can be opened later with tcpdump (using -r) or graphical tools like Wireshark.

Reading from a File

To analyze a previously saved capture.

sudo tcpdump -r capture.pcap
  • -r capture.pcap: Reads packets from the capture.pcap file. You can apply filters here too, like sudo tcpdump -r capture.pcap -X host 10.0.0.1.

Showing Packet Contents (Hex and ASCII)

See the actual data being sent.

sudo tcpdump -i eth0 -A
  • -A: Prints each packet in ASCII. Useful for seeing plain text protocols like HTTP or FTP. Use -X to see both hex and ASCII.

Limiting Packet Count

Don’t want to capture forever? Set a limit.

sudo tcpdump -i eth0 -c 100
  • -c 100: Captures exactly 100 packets and then exits.

Capturing on a Specific Network

Focus on traffic within a subnet.

sudo tcpdump -i eth0 net 192.168.1.0/24
  • net 192.168.1.0/24: Captures traffic where the source or destination IP address is within the 192.168.1.0/24 network.

Ignoring Specific Traffic

Sometimes you want to exclude known "noisy" traffic.

sudo tcpdump -i eth0 not port 22
  • not port 22: Excludes all SSH traffic. This can be handy if you’re troubleshooting something else and SSH is flooding your output.

Verbosity Levels

Get more or less detail about the packets.

sudo tcpdump -i eth0 -vvv
  • -v, -vv, -vvv: Increases verbosity. -vvv shows more protocol information, including TCP flags and TTL.

Timestamping

Accurate timing is crucial for debugging.

sudo tcpdump -i eth0 -tttt
  • -tttt: Prints timestamps in a human-readable format (e.g., 2023-10-27 10:30:05.123456). The default is often a relative timestamp.

When you’re done with the immediate capture, you might want to start looking at how to reassemble TCP streams to see full HTTP requests or other application-level data.

More Deep Dives in Tcpdump

Want structured learning?

Take the full Tcpdump course →