Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Basic Capture

tcpdump -i eth0
tcpdump -i any                       # All interfaces
tcpdump -i eth0 -c 100               # Capture 100 packets
tcpdump -i eth0 -w capture.pcap      # Save to file
tcpdump -r capture.pcap              # Read pcap

Common Flags

FlagDescription
-iInterface
-wWrite to file
-rRead from file
-cPacket count
-nNo DNS resolution
-nnNo DNS + no port names
-vVerbose
-vvMore verbose
-XHex + ASCII
-AASCII only
-qQuiet (less output)
-s 0Full packet capture

Host Filters

tcpdump -i eth0 host 10.10.10.10
tcpdump -i eth0 src host 10.10.10.10
tcpdump -i eth0 dst host 10.10.10.10
tcpdump -i eth0 not host 10.10.10.10

Port Filters

tcpdump -i eth0 port 80
tcpdump -i eth0 src port 443
tcpdump -i eth0 dst port 22
tcpdump -i eth0 portrange 1-1024

Protocol Filters

tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
tcpdump -i eth0 arp

Combine Filters

tcpdump -i eth0 host 10.10.10.10 and port 80
tcpdump -i eth0 src 10.10.10.10 and dst port 443
tcpdump -i eth0 'tcp port 80 or tcp port 443'
tcpdump -i eth0 net 10.10.10.0/24
tcpdump -i eth0 'not port 22'        # Exclude SSH

TCP Flags

tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'
tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0'
tcpdump -i eth0 'tcp[tcpflags] == tcp-syn'       # SYN only

Credential Sniffing

HTTP

tcpdump -i eth0 -A -s 0 'tcp port 80' | grep -iE "user|pass|login|auth"

FTP

tcpdump -i eth0 -A -s 0 'tcp port 21' | grep -iE "USER|PASS"

Telnet

tcpdump -i eth0 -A -s 0 'tcp port 23'

Useful Patterns

Save Large Capture (Rotate)

tcpdump -i eth0 -w capture.pcap -C 100 -W 10
# -C 100 = 100MB per file, -W 10 = max 10 files

Background Capture

tcpdump -i eth0 -w capture.pcap &

Capture ICMP (Ping)

tcpdump -i eth0 icmp

DNS Traffic

tcpdump -i eth0 -nn udp port 53

Read & Analyze

tcpdump -r capture.pcap -nn
tcpdump -r capture.pcap host 10.10.10.10
tcpdump -r capture.pcap -A | grep -i password
tcpdump -r capture.pcap -nn | wc -l    # Packet count

Quick Reference

TaskCommand
Capturetcpdump -i eth0 -nn -w out.pcap
Filter hosttcpdump -i eth0 host TARGET
Filter porttcpdump -i eth0 port 80
Read pcaptcpdump -r capture.pcap -nn
Sniff credstcpdump -A -s 0 'tcp port 21'