Logo ← PostgreSQL Blog

Tcpdump & Wireshark Cheat Sheet

A practical, copy-paste friendly network traffic analysis guide for Linux engineers, SOC analysts, Network specialists, and SREs.

Tcpdump & Wireshark Cheat Sheet

A practical, copy-paste friendly network traffic analysis guide for Linux engineers, SOC analysts, Network specialists, and SREs.

Table of Contents

Part 1 — Basics (For Everyone)

  • Basic Tcpdump Usage
  • Interface Management (-i, -D)
  • Host & Network Filtering (IP and Subnet)
  • Port & Protocol Basics (Service Filtering)
  • Read & Write to Files (-w, -r)
  • Output Control & Speed (-n, -N, -t)
  • Basic Troubleshooting Flow
  • Security Best Practices

Part 2 — Advanced Options & Analysis (Beginner → Advanced)

  • Logical Operators (AND, OR, NOT)
  • Packet Content Inspection (-A, -X, -XX)
  • Verbosity & Snapshot Length (-v, -s)
  • Directional Filtering (Inbound vs Outbound)
  • Advanced TCP Flag Filtering (SYN, ACK, RST, FIN)
  • Wireshark Display Filters (GUI Analysis)
  • Performance & Traffic Analysis (Latency & Errors)
  • Security & Vulnerability Detection
  • Protocol Specific Filters (HTTP, DNS, ICMP)
  • Automation & Integration

Part 1 — Basics (For Everyone)

This section covers essential commands for those new to traffic monitoring or engineers needing to diagnose a connection issue quickly.

1. Basic Tcpdump Usage

In its simplest form, tcpdump dumps packets passing through your network card directly to the terminal.

tcpdump
# Captures traffic on the default active interface.
# To stop: CTRL + C

2. Interface Management

Choosing which door to listen to is the first step.

tcpdump -D
# Lists all available network interfaces (eth0, wlan0, lo, etc.).
tcpdump -i eth0
# Monitors traffic only on the eth0 interface.
tcpdump -i any
# Listens to all active interfaces simultaneously.

3. Host & Network Filtering

Reduce the noise; focus only on the specific target you are investigating.

tcpdump host 192.168.1.50
# All incoming and outgoing traffic for this specific IP.
tcpdump src 1.1.1.1
# Only packets coming FROM this source IP.
tcpdump dst 8.8.8.8
# Only packets going TO this destination IP.
tcpdump net 10.0.0.0/24
# Monitors an entire subnet block.

4. Port & Protocol Basics

If you know which service (Web, DNS, SSH) is acting up:

tcpdump port 80
# HTTP traffic only.
tcpdump port 443
# HTTPS (SSL/TLS) traffic only.
tcpdump icmp
# Shows only Ping/ICMP packets.
tcpdump udp
# Shows only UDP (connectionless) traffic.

5. Read & Write to Files

Reading live traffic in a busy terminal is hard; save it for deep analysis.

tcpdump -w monitor.pcap
# Captures traffic and writes it to a file (Compatible with Wireshark).
tcpdump -r monitor.pcap
# Reads a previously saved pcap file in the terminal.

6. Output Control & Speed

By default, tcpdump tries to resolve IPs to hostnames (DNS), which slows down the process.

tcpdump -n
# Do not resolve IP addresses to names (e.g., 8.8.8.8 instead of google.com). Faster.
tcpdump -nn
# Show both IPs and Ports numerically (e.g., 80 instead of http). The cleanest output.
tcpdump -t
# Hide the timestamp at the beginning of each line.

7. Basic Troubleshooting Flow

Is my internet down? or Is the server responding? Use these for a quick check:

tcpdump -i any icmp
# Check if ping packets are going out and coming back in real-time.
tcpdump -ni eth0 port 80 or port 443
# Instantly see if web traffic is reaching your server.

8. Security Best Practices

  • Root Privileges: You need sudo to run tcpdump.
  • Avoid Overload: Monitoring everything (-i any) on high-traffic servers can strain the CPU and fill up disk space quickly.
  • Sensitive Data: Be aware that unencrypted traffic (HTTP, FTP, Telnet) will expose user data like passwords in plain text on your screen.

Part 2 — Advanced Options & Analysis (Beginner → Advanced)

In this section, we move beyond simple monitoring to reading packet contents, building complex filters, and detecting network vulnerabilities.

9. Logical Operators

Combine multiple filters for surgical precision.

tcpdump 'src 192.168.1.5 and port 80'
# Traffic FROM a specific IP AND going to port 80.
tcpdump 'host 1.1.1.1 or host 8.8.8.8'
# Traffic related to either of these two IP addresses.
tcpdump 'port 80 and not host 10.0.0.5'
# HTTP traffic from all devices EXCEPT 10.0.0.5.

10. Packet Content Inspection

Don’t just see where it’s going; see what is inside.

tcpdump -A -i eth0
# Show packet content in ASCII (text). Ideal for reading HTTP headers.
tcpdump -X -i eth0
# Show content in both HEX and ASCII.
tcpdump -XX -i eth0
# Detailed HEX/ASCII dump, including Ethernet headers.

11. Verbosity & Snapshot Length

Default outputs might sometimes be insufficient.

tcpdump -vvv
# Highest level of detail (TTL, ID, Flags, Sequence Numbers).
tcpdump -s 0
# Capture the full packet (Prevents truncation in older versions).

12. Directional Filtering

Clarify whether traffic is flowing in or out.

tcpdump -i eth0 -Q in
# Only INBOUND packets entering the interface.
tcpdump -i eth0 -Q out
# Only OUTBOUND packets leaving the interface.

13. Advanced TCP Flag Filtering

Magic commands to diagnose connection issues like handshake errors.

tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
# Show only new connection (SYN) requests.
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
# Catch sudden connection resets (RST).
tcpdump 'tcp[tcpflags] & (tcp-fin) != 0'
# Monitor closed (FIN) connections.

14. Wireshark Display Filters (GUI Analysis)

Lifesaving filters when analyzing a capture in the Wireshark GUI:

  • IP Filter: ip.addr == 10.0.0.1
  • HTTP POST (Data Submission): http.request.method == "POST"
  • Retransmission (Error): tcp.analysis.retransmission
  • Three-way Handshake: tcp.flags.syn == 1

15. Performance & Traffic Analysis

For detecting latency and errors:

tcpdump -w - | slow-analysis-tool
# Send live traffic through a pipe to an analysis tool.
tcpdump -c 500
# Capture exactly 500 packets and stop automatically.

16. Security & Vulnerability Detection

Spot suspicious activity directly from the terminal.

tcpdump 'tcp[tcpflags] == 2'
# SYN Scan detection (looking for packets with only the SYN flag set).
tcpdump port 23
# Telnet traffic (to prove passwords are sent in plain text).

17. Protocol Specific Filters

tcpdump udp port 53
# Only DNS queries and responses.
tcpdump 'icmp[0] == 8'
# Only outgoing Ping (Echo Request) packets.

18. Automation & Integration

When writing scripts or collecting logs:

tcpdump -l
# Make output "line-buffered." Suitable for real-time processing with `grep` or `awk`.
tcpdump -i eth0 -U
# Write to file immediately upon packet capture (no buffer delay).

Golden Rule

If you can’t solve a network problem, go back to the layers. Tcpdump tells you what is happening at layers 2, 3, and 4; it doesn’t lie, it only shows what exists.

Tcpdump & Wireshark are more than just tools to see packets — they are X-ray machines for your network. When you understand the basics, you can answer Why is the internet slow? or Why are packets not arriving? in seconds. When you master the options, you can detect cyber attacks, solve complex connection issues, and manage your systems with total confidence.

Save this cheat sheet or keep it pinned to a corner of your terminal; it will be your first guide whenever things get messy on the wire. Because packets never lie.