TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network.
The following cheatsheet goes over a few common tcpdump commands. For more advanced commands you need to consult the official man pages.
# List available network interfaces:
# Intercepts all packets on eth0
tcpdump -i eth0
# Intercepts all packets from/to 184.108.40.206
tcpdump host 220.127.116.11
# Capture all TCP traffic showing contents (ASCII) in console:
tcpdump -A tcp
# Capture the traffic from or to a host:
tcpdump host www.example.com
# Capture the traffic from a specific interface, source, destination and destination port:
tcpdump -i eth0 src 192.168.1.1 and dst 192.168.1.2 and dst port 80
# Capture the traffic of a network:
tcpdump net 192.168.1.0/24
# Capture all traffic except traffic over port 22 and save to a dump file:
tcpdump -w dumpfile.pcap port not 22
# Read from a given dump file:
tcpdump -r dumpfile.pcap
# Intercepts all packets on all interfaces from / to 18.104.22.168 port 80
# -nn => Disables name resolution for IP addresses and port numbers.
tcpdump -nn -i any host 22.214.171.124 and port 80
# Make a grep on tcpdump (ASCII)
# -A => Show only ASCII in packets.
# -s0 => By default, tcpdump only captures 68 bytes.
tcpdump -i any -A host 126.96.36.199 and port 80 | grep 'User-Agent'
# With ngrep
# -d eth0 => To force eth0 (else ngrep work on all interfaces)
# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
ngrep 'User-Agent' host 188.8.131.52 and port 80
# Intercepts all packets on all interfaces from / to 184.108.40.206 or 220.127.116.11 on port 80
tcpdump 'host ( 18.104.22.168 or 22.214.171.124 ) and port 80' -i any
# Intercepts all packets SYN and FIN of each TCP session.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
# To display SYN and FIN packets of each TCP session to a host that is not on our network
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip&0xf)<<2)) - ((tcp&0xf0)>>2)) != 0)'
# Saving captured data
tcpdump -w file.cap
# Reading from capture file
tcpdump -r file.cap
# Show content in hexa
# Change -x to -xx => show extra header (ethernet).
# Show content in hexa and ASCII
# Change -X to -XX => show extra header (ethernet).
# Note on packet maching:
# Port matching:
# - portrange 22-23
# - not port 22
# - port ssh
# - dst port 22
# - src port 22
# Host matching:
# - dst host 126.96.36.199
# - not dst host 188.8.131.52
# - src net 184.108.40.206 mask 255.255.255.0
# - src net 220.127.116.11/24