tcpdump Cheatsheet

Power user.

Overview

tcpdump is the standard packet-capture tool. Five primitive operations cover almost every network investigation: capture, filter, save, replay, decode. Fluency in all five is what turns “the network is weird” into specific packets.

• Packet capture. Raw packet data with full headers. Ground-truth visibility into what actually crossed the wire.
• BPF filters. Filter by host, port, protocol, direction. Narrows scope before the data hits disk.
• Save and replay. -w writes pcap files; -r reads them back. Offline analysis happens off the production box.
• Wireshark plus live decoding. pcap files open in Wireshark for stream reconstruction; -X shows hex and ASCII for inline protocol-level investigation.

The approach

Three habits separate fluent tcpdump from beginner tcpdump: filter narrowly, save the pcap, and skip name resolution while capturing.

• tcpdump -i eth0 host 10.0.0.1. Filter by host on a specific interface. Cuts the noise from every other connection.
• tcpdump -i any port 443. Filter by port across all interfaces. Surgical capture for service-level investigations.
• tcpdump -w cap.pcap and -r cap.pcap. Write to disk and read back. Offline analysis is faster and safer than live decoding.
• tcpdump -nn. Skip DNS and port-name resolution. Faster output, especially when the resolver is the thing being debugged.

Why this compounds

tcpdump fluency compounds because BPF syntax and the capture-decode pattern transfer across eBPF, Wireshark, ss, and modern observability tools.

• Faster network investigation. Fluent tcpdump produces fast root cause. MTTR drops on the network-flavoured incidents the team sees most often.
• Network mental model. Each capture teaches the wire protocol. Over months, the team has an end-to-end view.
• Cross-tool transfer. BPF syntax appears in eBPF, Wireshark filters, and ss. The fluency carries.
• Year-one investment, year-two habit. The first year establishes fluency under pressure. Subsequent years extend it.