Filter by destination IP and ports
$ tcpdump -n “dst host 192.168.1.1 and dst port 23”
$ tcpdump -n “dst host 192.168.1.1 and (dst port 23 or dst port 443)”
$ tcpdump -n “dst net 192.168.10/24 and dst port 23”
$ tcpdump -n “dst net 192.168.10/24 and dst portrange 1-23”
Filter by source IP and ports
$ tcpdump -n “src host 192.168.1.1 and src port 2222”
$ tcpdump -n “src host 192.168.1.1 and (src port 2222 or src port 2200)”
$ tcpdump -n “src net 192.168.1.0/24 and src port 2222”
$ tcpdump -n “src net 192.168.1.0/24 and src portrange 1-2222”
Capture only ICMP packets:
$ tcpdump -v icmp
Capture either ICMP or ARP packets:
$ tcpdump -v “icmp or arp”
Grab a packet capture on port 80 (HTTP) and write to pcap file
$ tcpdump tcp port 80 -w output.pcap -i eth0
Save a capture to pcap file
$ tcpdump -w captured.pcap
Display a captured pcap file
$ tcpdump -r captured.pcap
