tcpdump and Wireshark are the two dominant packet analysis tools in networking and security work. tcpdump (v5.0, powered by libpcap) is a lightweight CLI sniffer using Berkeley Packet Filter (BPF) syntax for capture filters. tshark is Wireshark's headless CLI counterpart and supports both BPF capture filters and Wireshark's rich display filter language. Together they cover everything from quick triage on remote servers to deep forensic analysis of pcap files. This cheat sheet covers basic capture, BPF filters, file I/O, tshark output formats, display filters, TLS decryption, remote capture, statistics, profiles, expert info, export objects, and tool selection guidance — ordered from foundational to advanced.
What This Cheat Sheet Covers
This topic spans 17 focused tables and 219 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: tcpdump Basic Capture Syntax
The flags that get you sniffing in the first place — picking an interface, capping how many packets you grab, and turning off the slow DNS and port-name lookups that otherwise stall the output. Reach for -nn and a packet count almost every time you run tcpdump for a quick look.
| Concept | Example | Description |
|---|---|---|
Capture on specific interface | tcpdump -i eth0 | • Sniff on interface eth0 • use any to capture on all interfaces |
List available interfaces | tcpdump -D | Print numbered list of interfaces available for capture |
Limit packet count | tcpdump -i eth0 -c 100 | Stop capture after receiving 100 packets |
Suppress DNS and port resolution | tcpdump -nn | • -n skips hostname lookup• -nn also skips port name lookup |
Verbose output levels | tcpdump -v / -vv / -vvv | • Each level adds more decoded fields • -vvv shows maximum detail |
Quiet / summary mode | tcpdump -q | Print less protocol information per line |
Run as non-root user | tcpdump -Z tcpdumpuser | Drop privileges to specified user after opening capture interface |