It’s always tough to do these Top 10 posts. I mean, depending on your job, where you access the network, what it is you are trying to do, you may have some favorite tcpdump commands that I don’t show here.
That said, lets take a look at some great tcpdump commands. By the way, you can grab our tcpdump cheat sheet right here.
- tcpdump
This means simply capture on the first operating non-loopback interface - tcpdump -i eth0
This means capture on the named interface – in this case ‘eth0’. - tcpdump -i eth0 src 172.16.1.1
This means capture on eth0 where the source IP address in 172.16.1.1
You can use dst as well. - tcpdump -i eth0 -w example.pcap
This means capture all packets on eth0 and write them to example.pcap. - tcpdump -i eth0 -c 100
This means capture just the first 100 packets on eth0. - tcpdump -i eth0 -e
This means capture all packets on eth0 and display the Ethernet details as well. - tcpdump -i eth0 dst net 172.16.1.0/24
This means capture all packets on eth0 that match any destination address in the specified IP subnetwork. - tcpdump -i eth0 ip6
This means capture only IPv6 traffic on the eth0 interface. - tcpdump -i eth0 portrange 20-100
This means capture any packets on the eth0 interface that match port number 20 through 100. - tcpdump ether dst FF:FF:FF:FF:FF:FF
This means capture any packets that match the specified L2 ethernet address – in this example all broadcast traffic.
I hope this helps. What are some of your favorites?
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!