Skip to content



tcpdump -i lo -A


Display Available Interfaces

tcpdump -D

Capture Packets from Specific Interface

tcpdump -i eth0
tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

tcpdump -XX -i eth0

Capture only TCP Packets.

tcpdump -i eth0 tcp

Capture only UPD Packets.

tcpdump -i eth0 udp

Capture Packet from Specific Port

tcpdump -i eth0 port <port>

Capture Packets from source IP

tcpdump -i eth0 src <ip>

Capture Packets from destination IP

tcpdump -i eth0 dst <ip>

From File

Reading from file

Command Comment
tcpdump -r file-name.pcap -r read packets from file
tcpdump -r -n file-name.pcap -n don't convert addresses to names


Command Comment
tcpdump -n src host -r file-name.pcap src host filter by source host
tcpdump -n dst host -r file-name.pcap src desc filter by desc host
tcpdump -n port 8080 -r file-name.pcap port 8080 filter by port
tcpdump -A -r file-name.pcap print packet data in ASCII

Filters - advanced

( TCP flag headers are located in the 14th byte of the header. Because numbering starts at byte 0, the TCP flag header is in byte 13.

Byte 13 can contain up to eight one-bit flags; however, TCP can use only six flags. The other two bits are reserved and should be set to zero.

For TCP headers with a single flag, there is one byte per bit and byte 13 contains the following binary values in decimal:

  • Final (FIN) = 1
  • Sync (SYN) = 2
  • Reset (RST) = 4
  • Push (PSH) = 8
  • Acknowledgement (ACK) = 16
  • Urgent (URG) = 32
  • Reserved = 64 and 128 (should be zero)

If multiple flags are set for the TCP header, the value of byte 13 is the binary sum of the values for all the bits that are set. For example:

  • FIN, ACK = 17 (1 + 16)
  • SYN, ACK = 18 (2 + 16)
  • PSH, ACK = 24 (8 + 16)
  • FIN, PSH = 9 (1 + 8)
  • FIN, PSH, ACK = 25 (1 + 8 + 16)
Command Comment
tcpdump -n -A -r file-name.pcap 'tcp[13]=24' PSH, ACK
tcpdump -n -A -r file-name.pcap 'tcp[13]=25' FIN, PSH, ACK