> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# tcpdump

> tcpdump packet capture: filters, common flags, pcap save, and traffic analysis from the command line.

## Basic Capture

```bash theme={"dark"}
tcpdump -i eth0
tcpdump -i any                       # All interfaces
tcpdump -i eth0 -c 100               # Capture 100 packets
tcpdump -i eth0 -w capture.pcap      # Save to file
tcpdump -r capture.pcap              # Read pcap
```

***

## Common Flags

| Flag   | Description            |
| ------ | ---------------------- |
| `-i`   | Interface              |
| `-w`   | Write to file          |
| `-r`   | Read from file         |
| `-c`   | Packet count           |
| `-n`   | No DNS resolution      |
| `-nn`  | No DNS + no port names |
| `-v`   | Verbose                |
| `-vv`  | More verbose           |
| `-X`   | Hex + ASCII            |
| `-A`   | ASCII only             |
| `-q`   | Quiet (less output)    |
| `-s 0` | Full packet capture    |

***

## Host Filters

```bash theme={"dark"}
tcpdump -i eth0 host 10.10.10.10
tcpdump -i eth0 src host 10.10.10.10
tcpdump -i eth0 dst host 10.10.10.10
tcpdump -i eth0 not host 10.10.10.10
```

***

## Port Filters

```bash theme={"dark"}
tcpdump -i eth0 port 80
tcpdump -i eth0 src port 443
tcpdump -i eth0 dst port 22
tcpdump -i eth0 portrange 1-1024
```

***

## Protocol Filters

```bash theme={"dark"}
tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
tcpdump -i eth0 arp
```

***

## Combine Filters

```bash theme={"dark"}
tcpdump -i eth0 host 10.10.10.10 and port 80
tcpdump -i eth0 src 10.10.10.10 and dst port 443
tcpdump -i eth0 'tcp port 80 or tcp port 443'
tcpdump -i eth0 net 10.10.10.0/24
tcpdump -i eth0 'not port 22'        # Exclude SSH
```

***

## TCP Flags

```bash theme={"dark"}
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'
tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0'
tcpdump -i eth0 'tcp[tcpflags] == tcp-syn'       # SYN only
```

***

## Credential Sniffing

### HTTP

```bash theme={"dark"}
tcpdump -i eth0 -A -s 0 'tcp port 80' | grep -iE "user|pass|login|auth"
```

### FTP

```bash theme={"dark"}
tcpdump -i eth0 -A -s 0 'tcp port 21' | grep -iE "USER|PASS"
```

### Telnet

```bash theme={"dark"}
tcpdump -i eth0 -A -s 0 'tcp port 23'
```

***

## Useful Patterns

### Save Large Capture (Rotate)

```bash theme={"dark"}
tcpdump -i eth0 -w capture.pcap -C 100 -W 10
# -C 100 = 100MB per file, -W 10 = max 10 files
```

### Background Capture

```bash theme={"dark"}
tcpdump -i eth0 -w capture.pcap &
```

### Capture ICMP (Ping)

```bash theme={"dark"}
tcpdump -i eth0 icmp
```

### DNS Traffic

```bash theme={"dark"}
tcpdump -i eth0 -nn udp port 53
```

***

## Read & Analyze

```bash theme={"dark"}
tcpdump -r capture.pcap -nn
tcpdump -r capture.pcap host 10.10.10.10
tcpdump -r capture.pcap -A | grep -i password
tcpdump -r capture.pcap -nn | wc -l    # Packet count
```

***

## Quick Reference

| Task        | Command                           |
| ----------- | --------------------------------- |
| Capture     | `tcpdump -i eth0 -nn -w out.pcap` |
| Filter host | `tcpdump -i eth0 host TARGET`     |
| Filter port | `tcpdump -i eth0 port 80`         |
| Read pcap   | `tcpdump -r capture.pcap -nn`     |
| Sniff creds | `tcpdump -A -s 0 'tcp port 21'`   |
