added tcpdump

3 files changed, 38 insertions, 0 deletions

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index c32741e..4062e92 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -54,6 +54,9 @@
     - [coredump](./linux/coredump.md)
     - [ptrace_scope](./linux/ptrace_scope.md)
 
+- [Network](./network/README.md)
+    - [tcpdump](./network/tcpdump.md)
+
 - [Arch](./arch/README.md)
     - [x86_64](./arch/x86_64.md)
     - [arm64](./arch/arm64.md)
diff --git a/src/network/README.md b/src/network/README.md
new file mode 100644
index 0000000..80ecc7b
--- /dev/null
+++ b/src/network/README.md
@@ -0,0 +1,4 @@
+
+# Network
+
+- [tcpdump](./tcpdump.md)
diff --git a/src/network/tcpdump.md b/src/network/tcpdump.md
new file mode 100644
index 0000000..fdaf911
--- /dev/null
+++ b/src/network/tcpdump.md
@@ -0,0 +1,31 @@
+# tcpdump(1)
+
+# CLI
+
+```markdown
+tcpdump [opts] -i <if> [<filter>]
+    -n              Don't covert host/port names.
+    -w <file|->     Write pcap trace to file or stdout (-).
+    -r <file>       Read & parse pcap file.
+```
+
+Some useful filters.
+```markdown
+src <ip>                Filter for source IP.
+dst <ip>                Filter for destination IP.
+host <ip>               Filter for IP (src + dst).
+net <ip>/<range>        Filter traffic on subnet.
+[src/dst] port <port>   Filter for port (optionally src/dst).
+tcp/udp/icmp            Filter for protocol.
+```
+
+> Use `and/or/not` and `()` to build filter expressions.
+
+# Examples
+
+## Capture packets from remote host
+
+```makrdown
+# -k: Start capturing immediately.
+ssh <host> tcpdump -i <IF> -w - | sudo wireshark -k -i -
+```