Show the list of available interfaces
Listen on the eth1/any interface
Don’t resolve hostnames
Don’t resolve hostnames or port names
Show the packet’s contents in both hex and ASCII
Same as -X, but also shows the ethernet header
Increase the amount of packet information you get back
Only get x number of packets and then stop
Only get ICMP packets
Define the snaplength (size) of the capture in bytes. Use <code>-s0</code> to get everything, unless you are intentionally capturing less
Print absolute sequence numbers
Decrypt IPSEC traffic by providing an encryption key
<code>tcpdump -nS</code>
<code>tcpdump -nnvvS</code>
<code>tcpdump -nnvvXS</code>
<code>tcpdump -nnvvXSs 1514</code>
<code>tcpdump net 1.2.3.0/24</code>
<code>tcpdump portrange 21-23</code>
only see packets below or above a certain size (in bytes)
<code>tcpdump -s 1514 port 80 -w http.cap</code>2. Read from a file<code>tcpdump -r capture_file</code>Logical Combination1. <code>and</code> or <code>&&</code>2. <code>or</code> or <code>||</code>3. <code>not</code> or <code>!</code>4. GroupingCorrect<code>tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'</code>Incorrect<code>tcpdump src 10.0.2.4 and (dst port 3389 or 22)</code>Hacking into bytes1. Show me all URGENT (URG) packets<code>tcpdump 'tcp[13] & 32!=0'</code>2. Show me all ACKNOWLEDGE (ACK) packets<code>tcpdump 'tcp[13] & 16!=0'</code>3. Show me all PUSH (PSH) packets<code>tcpdump 'tcp[13] & 8!=0'</code>4. Show me all RESET (RST) packets<code>tcpdump 'tcp[13] & 4!=0'</code>5. Show me all SYNCHRONIZE (SYN) packets<code>tcpdump 'tcp[13] & 2!=0'</code>6. Show me all FINISH (FIN) packets<code>tcpdump 'tcp[13] & 1!=0'</code>7. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK)packets<code>tcpdump 'tcp[13]=18'</code>8. IPv6 traffic<code>tcpdump ip6</code>9. Packets with both the RST and SYN flags set<code>tcpdump 'tcp[13] = 6'</code>10. Traffic with the ‘Evil Bit’ Set<code>tcpdump 'ip[6] & 128 != 0'</code>