tcpdump and Wireshark are the two dominant packet analysis tools in networking and security work. tcpdump (v5.0, powered by libpcap) is a lightweight CLI sniffer using Berkeley Packet Filter (BPF) syntax for capture filters. tshark is Wireshark's headless CLI counterpart and supports both BPF capture filters and Wireshark's rich display filter language. Together they cover everything from quick triage on remote servers to deep forensic analysis of pcap files. This cheat sheet covers basic capture, BPF filters, file I/O, tshark output formats, display filters, TLS decryption, remote capture, statistics, profiles, expert info, export objects, and tool selection guidance β ordered from foundational to advanced.
What This Cheat Sheet Covers
This topic spans 17 focused tables and 219 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: tcpdump Basic Capture Syntax
| Concept | Example | Description |
|---|---|---|
Capture on specific interface | tcpdump -i eth0 | β’ Sniff on interface eth0 β’ use any to capture on all interfaces |
List available interfaces | tcpdump -D | Print numbered list of interfaces available for capture |
Limit packet count | tcpdump -i eth0 -c 100 | Stop capture after receiving 100 packets |
Suppress DNS and port resolution | tcpdump -nn | β’ -n skips hostname lookupβ’ -nn also skips port name lookup |
Verbose output levels | tcpdump -v / -vv / -vvv | β’ Each level adds more decoded fields β’ -vvv shows maximum detail |
Quiet / summary mode | tcpdump -q | Print less protocol information per line |
Run as non-root user | tcpdump -Z tcpdumpuser | Drop privileges to specified user after opening capture interface |