Basic Capture
Common Flags
| Flag | Description |
|---|---|
-i | Interface |
-w | Write to file |
-r | Read from file |
-c | Packet count |
-n | No DNS resolution |
-nn | No DNS + no port names |
-v | Verbose |
-vv | More verbose |
-X | Hex + ASCII |
-A | ASCII only |
-q | Quiet (less output) |
-s 0 | Full packet capture |
Host Filters
Port Filters
Protocol Filters
Combine Filters
TCP Flags
Credential Sniffing
HTTP
FTP
Telnet
Useful Patterns
Save Large Capture (Rotate)
Background Capture
Capture ICMP (Ping)
DNS Traffic
Read & Analyze
Quick Reference
| Task | Command |
|---|---|
| Capture | tcpdump -i eth0 -nn -w out.pcap |
| Filter host | tcpdump -i eth0 host TARGET |
| Filter port | tcpdump -i eth0 port 80 |
| Read pcap | tcpdump -r capture.pcap -nn |
| Sniff creds | tcpdump -A -s 0 'tcp port 21' |