Cheat sheet — Networking & Packet Capture¶
Companion to Module 06 — Networking Fundamentals · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
tcpdump — capture¶
sudo tcpdump -D # list capture interfaces
sudo tcpdump -i eth0 # capture on an interface
sudo tcpdump -i eth0 -w capture.pcap # write raw packets to a file (open later in Wireshark)
sudo tcpdump -r capture.pcap # read a saved capture back
sudo tcpdump -i eth0 -c 100 # stop after 100 packets
Useful output flags: -n (don't resolve names/ports — faster, honest), -nn (nor ports),
-v/-vv (more header detail), -A (payload as ASCII), -X (hex + ASCII), -e (link-layer/MAC),
-tttt (human-readable timestamps).
tcpdump — BPF filters (the part everyone re-looks-up)¶
host 10.0.0.5 # to or from this host
src host 10.0.0.5 # source only (dst host for destination)
net 10.0.0.0/24 # a subnet
port 443 # either direction (src port / dst port to pin it)
portrange 8000-8100
tcp / udp / icmp # by protocol
Combine with and / or / not and parentheses (quote them in the shell):
sudo tcpdump -i eth0 'tcp port 443 and host 10.0.0.5'
sudo tcpdump -i eth0 'udp port 53' # DNS — where C2 and exfil hide
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0' # SYN-only (scans)
sudo tcpdump -i eth0 'not arp and not port 22' # cut the noise (and your own SSH)
- Filtering happens in the kernel before packets reach userspace — a tight filter is the difference between a readable capture and a firehose. Write the filter first.
Connections and sockets — ss (netstat's modern replacement)¶
ss -tulpn # TCP+UDP listeners, with process names and ports (the daily driver)
ss -tp # established TCP connections + owning process
ss -s # summary counts by state
ss dst 10.0.0.5 # filter by peer
Mnemonic: tcp udp listening process numeric.
DNS lookups¶
dig example.com # full answer section
dig +short example.com # just the address
dig example.com MX # a specific record type (A, AAAA, MX, TXT, NS, CNAME)
dig @1.1.1.1 example.com # ask a specific resolver
dig -x 1.1.1.1 # reverse lookup (PTR)
Quick connectivity checks¶
ping -c 4 host
traceroute host # the path, hop by hop
curl -sI https://host # is HTTP up? (headers only)
nc -vz host 443 # is one TCP port open?
nc -vz host 20-25 # ...a small range
nmap — first-look scans¶
nmap -sn 10.0.0.0/24 # host discovery only (who's alive) — no port scan
nmap -sV -p- 10.0.0.5 # all 65535 ports + service/version detection
nmap --top-ports 100 10.0.0.5 # fast: the 100 most common ports
nmap -sV -sC 10.0.0.5 # versions + default safe scripts
Only scan hosts you own or have written authorization to test.
nmapagainst systems you don't own can be illegal and is trivially logged.
Gotchas worth remembering¶
- A packet capture is ground truth — it records what was actually sent, not what a log claims. But if you didn't capture it, it's gone; start the capture before you reproduce the thing.
- DNS is UDP/53, rarely blocked, and implicitly trusted — which is exactly why SUNBURST-style beaconing and exfiltration ride it. Odd, long, high-entropy subdomains are the tell.
- Names/ports resolution (
tcpdumpwithout-n) can itself generate DNS traffic that pollutes your capture. Use-nwhen analyzing DNS.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).