- Capture traffic on an interface or all
tcpdump -i eth0
tcpdump -i any
- Capture and write to a file
tcpdump -i eth0 -w file_name.pcapng
- Read packets from a file, do not resolve hosts/ports
tcpdump -r file_name.pcapng -n
- Read packets from a file, dont resolve, show as ASCII
tcpdump -r file_name.pcapng -n -A
- Traffic going to or from a host
tcpdump -r file_name.pcapng 'host 192.168.1.34'
tcpdump -r file_name.pcapng 'src host 192.168.1.34'
- Traffic where the source is not a specific host
tcpdump -r file_name.pcapng 'not src host 192.168.1.34'
- Only ICMP traffic from a sepecifc host
tcpdump -r file_name.pcapng 'icmp and (src host 19.168.1.34)