11 Linux Shell Commands for Hacking and Security

The Linux command line is where visibility, control, and power meet — and nowhere is that more true than in security work.

The 11 commands discussed in this post are staples for administrators, penetration testers, and defenders alike. They let you discover devices on a network, inspect traffic, test authentication, and hunt for rootkits, all from a terminal. Because these tools operate at a low level and can be disruptive if misused, this guide focuses on practical usage, realistic examples, and defensive context so you can apply them responsibly to harden systems, investigate incidents, or learn offensive techniques in a safe, legal environment.

arp: Manages the ARP Cache

arp from the net-tools package helps to manage the cache for the address resolution protocol (ARP). This cache contains a list of local network devices and allows the assignment to their MAC addresses. Without any further parameters, the command returns the current cache content. With the -n option, the corresponding IP addresses are displayed instead of host names.

user$ arp

Address                  HWtype    HWaddress          Flags Mask   Iface

fritz.box                ether     3c:37:12:b7:a1:cb  C            enp0s1

Archer-C6.fritz.box      ether     d8:07:b6:4f:19:af  C            enp0s1

m3.fritz.box             ether     80:a9:97:32:c5:d7  C            enp0s1

BRN001BA99C5DA4.fritz.b  ether     00:1b:a9:9c:5d:a4  C            enp0s1

192.168.178.1            ether     3c:37:12:b7:a1:cb  C            enp0s1

192.168.178.21           ether     d8:07:b6:4f:19:af  C            enp0s1

192.168.178.146          ether     80:a9:97:32:c5:d7  C            enp0s1

192.168.178.20           ether     00:1b:a9:9c:5d:a4  C            enp0s1

arp-scan: Sends ARP Packets to All Addresses in a Network

arp-scan sends address resolution protocol (ARP) packets to the specified hosts or IP addresses and displays the resulting responses. arp-scan thus provides an extremely fast way of finding out which hosts or IP addresses are running active devices and which MAC addresses they have. As usual, the address range can also be specified in the form 10.17.0.0/16.

The nmap command provides similar functions, albeit on a completely different technical basis. In short, nmap is slower but more thorough.

• -f filename or --file=filename: Loads the hosts or IP addresses from the specified file.
• -I interface or --interface=interface: Explicitly selects the network interface via which the ARP packets are to be sent. If this option isn’t specified, arp-scan simply uses the first interface, ignoring the loopback interface.
• -l or --localnet: Searches the entire local network. There is then no need to specify hosts or IP addresses. 

Example: The following arp-scan command is used to perform a network scan for the IP addresses 10.0.0.*:

root# arp-scan --interface=enp0s3 10.0.0.0/24

Interface: enp0s3, datalink type: EN10MB (Ethernet)

Starting arp-scan 1.9 with 256 hosts

10.0.0.9     00:16:b6:9d:ff:4b  Cisco-Linksys

10.0.0.22    b8:27:eb:11:44:2e  Raspberry Pi Foundation

10.0.0.39    ac:87:a3:1e:4a:87  (Unknown)

...

7 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9: 256 hosts scanned in 1.825 seconds

   (140.27 hosts/sec). 7 responded

Chkrootkit: Searches for Known Rootkits

The chkrootkit command from the package of the same name searches the system for known rootkits. The procedure is pretty simple: the command attempts to detect the malware by using simple criteria or signatures (e.g., the presence of certain character strings in binary files).

• -n: Ignores NFS directories.
• -r directory: Uses the specified directory as the starting point (as the root directory).

Although the project is still active, further development is only taking place in small steps. Both false positives and the failure to detect genuine threats are possible.

Example

root# chkrootkit

ROOTDIR is /

Checking amd...                               not found

Checking basename...                          not infected

Checking biff...                              not found

Checking chfn...                              not infected

Searching for sniffer's logs ...              nothing found

Searching for rootkit HiDrootkit's files...   nothing found

Searching for rootkit t0rn's default files... nothing found

Checking asp...                               not infected

Checking bindshell...                         not infected

Checking lkm... chkproc:                      nothing detected

...

Variants: chkrootkit can be the starting point of a rootkit search due to its ease of use. Alternative or supplementary tools are, for example, rkhunter and the commercial tools Lynis and Snort. The latter two programs each have an open-source kernel that can be used free of charge. 

fail2ban-client: Administrates Fail2ban

Fail2ban is a security program that monitors logins and blocks the IP address in question for a certain period of time after repeated incorrect logins. If Fail2ban has been set up, its function can be checked and changed via fail2ban-client.

• get parameter: Imports a configuration parameter.
• reload [jailname]: Reloads the entire configuration or the configuration of a jail. In Fail2ban, a jail is a program to be monitored.
• set [jailname] parameter value: Changes a general configuration parameter or the parameter of a jail.
• start/stop [jailname]: Starts or stops Fail2ban completely or starts/stops only one jail.
• status [jailname]: Displays the list of all active jails or details of a jail.

If fail2ban-client is executed without commands only with the -d option, the command outputs the entire currently valid configuration, whereby only the filters, jails, and actions that are actually in use are taken into account. This is very helpful in troubleshooting due to the confusing configuration files.

Examples: The following commands show that four jails are active on the test computer. The jail for the SSH server has already temporarily blocked 1,418 IP addresses in the past. Currently, 3 addresses are blocked.

root# fail2ban-client status

Status

   Number of jail: 4

   Jail list:                     dovecot, postfix, sshd, sshd-ddos

root# fail2ban-client status sshd

Status for the jail: sshd

   Filter

         Currently failed: 4

      Total failed: 151362

      Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd

   Actions

      Currently banned: 3

      Total banned:        1418

      Banned IP list:      58.218.nnn.nnn 58.242.nnn.nnn 180.76.nnn.nnn

You can unblock an erroneously blocked IP address using fail2ban-client set (here, we do this for the SSH jail):

root# fail2ban-client set sshd unbanip 1.2.3.4

hydra: Serves as an Online Password Cracker

The hacking or penetration testing command hydra from the package of the same name reads passwords from a file or generates them itself and attempts to use them to log in to a network service.

hydra supports a wide range of services, including FTP, HTTP(S), IMAP, MySQL, Microsoft SQL, POP3, PostgreSQL, SMTP, Telnet, and VNC. The command can also attempt logins in web forms (GET, PUT, POST). You can determine the list of permitted service names using hydra -h. 

• -6: Uses IPv6, if possible.
• -C filename: Uses the login name and password combinations specified in the file. The logins and passwords must be contained line by line in the format login:password.
• -e nsr: Also tries an empty password (n as in null), the login name as password (s as in same), and the reverse login name (r as in reverse).
• -f: Terminates the command as soon as a valid login/password combination is found.
• -l loginname: Uses the specified login name.
• -L user file: Reads the login names line by line from the specified text file.
• -m options: Transfers additional options that are specific to the network service. You can determine permitted options using hydra -U service, such as hydra -U http-get for logins that are supposed to be done with an HTTP GET
• -M host file: Reads the host names or IP addresses to be attacked from the file and attacks all hosts in parallel.
• -o result file: Saves the successful login password combinations in the specified file instead of displaying them in the standard output.
• -p password: Uses the specified password.
• -P pwfile: Tries out the passwords from the specified text file one after the other.
• -R: Resumes the hydra call last interrupted via (Ctrl)+(C), provided the restore file exists. No further options need to be specified; they are included in hydra. restore.
• -s portnr: Uses the specified port instead of the default port of the respective service.
• -t n: Runs n tasks (threads) in parallel. The default setting is 16. This can be too high because some services block the login if there are too many parallel requests (from the same IP address at that).
• -x min:max:chars: Generates passwords that are between min and max characters long and contain the specified characters. Here, a is shorthand for lowercase letters, A for uppercase letters, and 1 for numerals. All other characters, including äöüß, must be entered individually.

Example: With -x '4:6:aA1-_$%', hydra uses passwords that are four to six characters long and contain the characters -, _, $, and % in addition to letters and numbers. With -x '4:4:1', hydra tries all four-digit numbers. This results in 10,000 possibilities.

The -x option is only useful in exceptional cases, namely if you have (almost) an infinite amount of time and the target computer tolerates an unlimited number of login attempts.

Example: In the following example, hydra tries to find an account on a Linux server with a trivial password or no password at all for an SSH login. To do this, cut first generates a list of all accounts. Ideally, you should run this command on a computer running the same distribution as the target computer.

user$ cut -d: -f1 /etc/passwd > logins.txt

After that, hydra is supposed to try an SSH login for all accounts stored in logins.txt, using the account name, the reversed account name, and an empty character string as the password:

user$ hydra -L logins.txt -t 4 -e nsr 10.0.0.36 targethost

Alternatives: If you know passwords in the form of hash codes, you can try to find out the plain-text passwords with the offline password cracker (see john). hashcat is even faster. However, this command requires the sometimes-complicated installation of suitable GPU drivers.

John: Serves as an Offline Password Cracker

The program John the Ripper (command and package name john) is an offline password cracker. To use the program, you must have the passwords as hash codes. john then tests whether self-generated passwords or passwords from a predefined list correspond to the hash codes.

john can handle most common hash algorithms. In the simplest case, you simply pass the name of a text file containing hash codes line by line to the command. The lines of the text file can also have the following format: name:hashcode:xxx. john first tries the account name as password (if available), then passwords from a built-in word list, and finally passwords that it generates itself (--single, --wordlist, and --incremental mode). Cracked passwords are stored in .john/john.pot.

--format=hashname:

Specifies which hash method john should use. The command supports the following formats, among others: afs, bcrypt, bsdicrypt, crypt, descrypt, dummy, lm md5crypt, and tripcode. This option is only required if john doesn’t recognize the hash method itself.

A brief description of the hash formats can be found on this website. Note that this website also describes formats that are only included in the unofficial “jumbo” version (see the “Alternatives” section).

--incremental[:lower|lowernum|alpha|digits|alnum]

Generates passwords itself, first trying out short and then increasingly longer passwords. Note that, in this mode, john runs endlessly, unless the passwords you’re looking for are trivial.

By default, the characters a–z, A–Z, and 0–9 are taken into account in this mode (corresponds to alnum, 62 characters). Optionally, you can restrict the character set: lower corresponds to a–z, lowernum includes a–z and 0–9, alpha corresponds to a–z and A–Z, and digits includes digits only. Some other modes that can be defined are provided in /etc/john/john.conf. (On Ubuntu, many modes don’t work because the corresponding character set files are missing in /usr/share/john.)

Finally, you can use john --make-charset to generate your own character set file, which you can then use with --incremental=charsetfile. This website provides some useful tips on this.

--restore

Continues the execution of john that was interrupted by (Ctrl)+(C).

--show

Displays passwords that have already been cracked. For this purpose, the .john/john.pot file gets evaluated. 

--wordlist filename

Tries out the passwords contained in the file line by line.

Example: The starting point for this example is a Linux computer with multiple accounts. The unshadow command supplied with john combines /etc/passwd and /etc/shadow into a new hashes file. (The access to the shadow file requires root permissions.) The hash codes in the resulting file are abbreviated here for reasons of space:

root# unshadow /etc/passwd /etc/shadow > hashes

root# chown user hashes

user$ cat hashes

...

peter:$6$U.zGFBlF$LdNTE...:1001:1001::/home/peter:/bin/bash

maria:$6$gSJg6.d8$mN.en...:1002:1002::/home/maria:/bin/bash

hugh:$6$UinuQqJY$iD59.N...:1003:1003::/home/hugh:/bin/bash

john finds two particularly insecure passwords within seconds. peter has used his own name as his password, and hugh used the popular password “123456”. However, Maria’s password can’t be cracked straight away, which is why the process gets stopped after a while by pressing (Ctrl)+(C):

user$ john hashes

Loaded 3 password hashes with 3 different salts

Press 'q' or Ctrl-C to abort, almost any other key for status

peter                          (peter)

123456                         (hugh)

   <Strg>+<C>

You can download lists of popular passwords from GitHub using git. (Note that the space required for the lists is around 750 MiB!) One of these dictionaries actually contains Maria’s password! It reads secret:

user$ git clone https://github.com/danielmiessler/SecLists.git

user$ john --wordlist=SecLists/Passwords/Common-Credentials/ \

                      10-million-password-list-top-10000.txt hashes

Loaded 3 password hashes with 3 different salts

Remaining 1 password hash with 1 different salt

secret       (maria)

Alternatives: On GitHub there is the greatly expanded, community-maintained “jumbo” version of john.

If you want to significantly speed up the cracking of hash codes with GPU support, you should consider using hashcat. The biggest hurdle in this case is the installation of suitable GPU drivers. To check network services for insecure passwords, you can use the online password cracker: hydra.

nc: Netcat, Redirects Network Data to the Standard Input or Output

The nc command is better known as Netcat. It redirects TCP/UDP ports to standard input/output and provides a number of other functions. You can use the command to interactively test network protocols such as HTTP or SMTP in a way similar to telnet. With nc, you can also copy files via any network port, implement a chat, or set up a simple backdoor that receives and executes commands via a port. It’s therefore not surprising that nc is extremely popular among hackers and penetration testers.

On some Linux distributions, the nc command is included in the package of the same name; on other distributions, you must install netcat. Note that there are different implementations of Netcat. For example, netcat-traditional is used on Debian and Ubuntu, while RHEL provides a variant from the nmap developers (https://nmap.org/ncat). In practice, this doesn’t result in any major differences, but individual options may be implemented differently (or not at all) depending on the version.

• -4 or -6: Uses only IPv4 or IPv6.
• -l: Waits on the specified port for a connection to be established (listen).
• -p portnr: Defines the local port (source port). The port, which is usually specified at the end of the nc command, is the destination port.
• -x proxyadr:portnr: Uses the specified proxy address and the corresponding port.

A number of other options are described in man nc. A possible alternative to nc is the socat command, which isn’t covered in this book. It also supports the SCTP, can work via proxy servers, operate serial interfaces, and encrypt the data for transmission:

www.dest-unreach.org/socat

Examples: To copy a file via any port (here, 1234) from host 1 to host 2, you first start the receiver on host 2 (right column) and then initiate the transfer of the file to host 1 (left column):

host2$ nc -l 1234 > file

host1$ nc host2 1234 < file

It’s just as easy to conduct a chat. All you have to do is agree on a port with the other party. The chat is initiated on a computer via nc -l (left column). This way, nc monitors the specified port 1234 and waits for a connection to be established.

On the second host, nc is started without options to connect to the first host. There’s no visible confirmation that the connection has been established, but as soon as one of the two parties enters text (standard input) and confirms it by pressing (Enter), the text appears in the terminal of the other party (standard output).

host1$ nc -l 1234

             host2$ nc host1 1234

how are you?

        how are you?

        good

good

<Ctrl>+<C>

The third example shows the potential danger of Netcat: Here, nc on host 1 is set up to pass all input received on port 1234 to the bash shell. Their outputs are transferred back to the transmitter. Shell commands can now be run on host 1 from a second host. Ls therefore shows files that are located on host 1!

host1$ nc -l 1234 -e /bin/bash

host2$ nc host1 1234

ls

file1

file2

file3

However, the -e option for executing a command isn’t available with all Netcat versions. It’s especially missing in the netcat-traditional implementation that’s common on Debian and Ubuntu. A solution to that is to install the nmap package and run the ncat command included there.

ngrep: Filters Network Streams Using grep (Packet Sniffing)

ngrep is referred to as a packet sniffer. The command reads the network traffic of a port and filters it. ngrep provides similar functions to the tcpdump command and, like this, uses the pcap library to read the network packets. Unlike tcpdump, however, ngrep also takes the contents of the packages into account. Naturally, this only works for nonencrypted protocols, such as HTTP or FTP.

The search expression must be formulated as a regular pattern as in grep. The syntax summarized in tcpdump applies to the pcap filter expression.

• -d interface|any: Determines the network interface.
• -i: Ignores uppercase and lowercase in the grep search expression.
• -v: Inverts the search. ngrep therefore only returns the packets in which the grep search pattern was not
• -w: Interprets the grep search expression as a word.
• -W byline: Takes line breaks into account during output, resulting in more legible output.

Example: The following example listens on all interfaces for HTTP packets containing the keywords user, pass, and so on:

root# ngrep -d any -i 'user|pass|pwd|mail|login' port 80

interface: any

filter: (ip or ip6) and ( port 80 )

match: user|pass|pwd|mail|login

T 10.0.0.87:58480 -> 91.229.57.14:80 [AP] POST /index.php

   HTTP/1.1..Host: ... user=name&pass=geheim&login=Login

...

nmap: Serves as a Network and Port Scanner

The nmap command (network mapper) from the package of the same name performs a port scan and attempts to determine which network services are active on the specified computer or in the specified network. nmap should only be used to analyze your own computers or after consultation with the respective administrator. A port scan of other computers can be interpreted as an attempted attack!

• -A: Performs an extensive (“aggressive”) scan, corresponding to –sV -O -sC --traceroute.
• -F: Considers only the 100 most important ports from /usr/share/nmap/nmap-services (quick scan).
• -iL file: Scans the IP addresses specified in the file.
• -oN file / -oG file / -oX xml: Writes the results to an ordinary text file, to a text file that can be easily processed with grep, or to an XML file. Without the option, nmap uses the standard output and the ordinary text format.
• -O: Attempts to recognize the operating system; this option must be combined with a scan option, such as -sS, -sT, or -sF.
• -p1-10,22,80: Takes only the specified ports into account.
• -Pn: Doesn’t perform a ping test. This means that nmap considers all hosts to be online and performs a scan in any case (slowly!).
• -sL: Lists all ports and specifies host names assigned in the past. This is particularly fast, but provides outdated data even from devices that are currently no longer online.
• -sP: Performs only a ping test (fast).
• -sS: Performs a TCP SYN scan (applies by default).
• -sU: Takes UDP into account as well. This option can be used together with another -s
• -sV: Tries to find out which service is provided on open ports (service version detection) or which program is responsible for the service and in which version.
• -T0 to -T5: Selects a timing schema: – -T5 is the fastest. – -T3 is the default. – -T0 and -T1 are extremely slow, but minimize the risk of the scan being detected.
• -v: Outputs detailed information (verbose).

You must choose an -s option when calling. Only -sU may be combined with other -s options. In general, the right choice of options is a trade-off between thoroughness and speed.

In many cases, nmap -v -A name is sufficient to get an initial overview of the network services of the specified computer. Advanced nmap users can find more details on the man page and on the following websites:

https://insecure.org/nmap

https://nmap.org/book

Graphical user interfaces also exist for nmap, such as nmap-frontend or zenmap.

Examples: The following command performs a quick network scan on the local network (256 IP addresses). Thanks to the focus on the most important 100 ports, the job is done within about two seconds. The nmap outputs have been shortened for reasons of space and only show the results of two of the devices found:

root# nmap -F -T4 10.0.0.0/24

Nmap scan report for imac (10.0.0.2)

   Host is up (0.00019s latency).

   PORT STATE SERVICE

   22/tcp open ssh

   88/tcp open kerberos-sec

   445/tcp open microsoft-ds

   548/tcp open afp

   MAC Address: AC:87:A3:1E:4A:87 (Apple)

Nmap scan report for raspberrypi (10.0.0.22)

   Host is up (0.00038s latency).

   Not shown: 99 closed ports

      PORT STATE SERVICE

   22/tcp open ssh

   MAC Address: B8:27:EB:11:44:2E (Raspberry Pi Foundation)

...

Nmap done: 256 IP addresses (6 hosts up) scanned in 2.42 seconds

The second example shows the nmap result for a NAS device that is located in a different local network (again, it has been heavily shortened):

root# nmap -v -A 192.168.178.28

Nmap scan report for DiskStation.fritz.box (192.168.178.28)

Host is up (0.0023s latency).

...

Discovered open port 445/tcp on 192.168.178.28

Discovered open port 139/tcp on 192.168.178.28

Discovered open port 80/tcp on 192.168.178.28

Discovered open port 443/tcp on 192.168.178.28

Discovered open port 22/tcp on 192.168.178.28

Discovered open port 5001/tcp on 192.168.178.28

Discovered open port 5000/tcp on 192.168.178.28

Discovered open port 548/tcp on 192.168.178.28

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

   ssh-hostkey:

      2048 5a:e7:3a:66:f4:99:9f:0a:0a:... (RSA)

      256 06:1a:bf:9f:e9:d0:64:3a:92:49:... (ECDSA)

      256 ad:b7:7d:ab:ae:70:0a:c9:a6:0c:... (ED25519)

      ...

80/tcp open http nginx

139/tcp open netbios-ssn Samba smbd 4.6.2

445/tcp open netbios-ssn Samba smbd 4.6.2

...

Nmap done: 1 IP address (1 host up) scanned in 64.19 seconds

rkhunter: Searches for Known Rootkits

The rkhunter shell script (Rootkit Hunter) attempts to detect rootkits installed on the computer. Compared to chkrootkit, rkhunter performs even more tests. As is the case with chkrootkit, however, the program isn’t infallible: you must expect both false positives and that the program won’t detect a modern rootkit at all.

In some distributions, a cron script gets set up when the rkhunter package is installed, which calls rkhunter once a day and sends an email with the results. On Debian and Ubuntu, this feature is also provided, but it’s disabled in the /etc/default/rkhunter configuration file.

• -c or –check: Performs a rootkit search and displays the results.
• --update: Updates the pattern files for detecting rootkits.

Example: The shortened version of the program reads as follows:

root# rkhunter –check

[ Rootkit Hunter version 1.4.6 ]

Checking system commands

...

Performing file properties checks

   Checking for prerequisites [ OK ]

   /usr/sbin/adduser          [ OK ]

   /usr/sbin/chroot           [ OK ]

   ...

Performing check of known rootkit files and directories

   55808 Trojan - Variant A [ Not found ]

   ADM Worm [ Not found ]

   AjaKit Rootkit [ Not found ]

   ...

Performing system configuration file checks

   Checking for an SSH configuration file          [ Found ]

   Checking if SSH root access is allowed          [ Warning ]

   Checking if SSH protocol v1 is allowed          [ Not allowed ]

System checks summary:

File properties checks:              Files checked: 151, Suspect files: 1

Rootkit checks:                             Rootkits checked: 475, Possible rootkits: 0

...

All results have been written to the log file: /var/log/rkhunter.log

tcpdump: Filters Network Streams (Packet Sniffing)

tcpdump from the package of the same name reads the network traffic of an interface, filters it according to criteria, outputs it, or saves it in a file. The command not only handles TCP packets, but also UDP and ICMP packets. tcpdump uses the pcap library internally to read and filter the network packets.

• -a: Displays package contents in text format (ASCII).
• -c n: Terminates the program after n
• -i interface: Considers only packets that flow via the specified interface. You can obtain a list of possible interfaces using tcpdump -D.
• -n: Displays IP addresses instead of host names.
• -q: Displays less information (quiet).
• -r file: Reads the packages from a file previously saved using tcpdump -w.
• -w file: Saves the packages in binary format (raw) in the specified file. The file can be read and analyzed again later using tcpdump -r or other programs (e.g., Wireshark).
• -x: Displays package contents in hexadecimal format.

Filter Expression: The options can be followed by a filter expression, which can be composed of the following keywords, among others:

• greater n: Considers only packets that are larger than n
• host ipadr or host hostname: Takes into account only packets that use the specified IP address or the corresponding host as the source or target.
• less n: Considers only packets that are smaller than n
• net cidr: Considers only packets whose source or destination corresponds to the specified address range in CIDR notation (e.g., 0.0.0/24).
• port n or portrange n1-n2: Considers only packets that use the specified port numbers as source or target.
• proto ether|fddi|tr|wlan|ip|ip6|arp|rarp|decnet|tcp|udp: Takes into account only packets of the specified protocol. The expression can be prefixed with ip or ip6 if only IPv4 or IPv6 packets are to be analyzed (e.g., ip6 proto udp).

The host, net, and port keywords can optionally be prefixed with dst or src if the specification refers only to the packet destination or source.

You can link multiple filter conditions via and or dust. You must bracket complex expressions using \( and \). Alternatively, you can use simple parentheses, but then you have to put the entire filter expression in apostrophes (e.g., '(port 1 or port 2)'). Other filter options are described in man pcap-filter.

Examples: The following command outputs information about all HTTP packets flowing through the wlan0 interface:

root# tcpdump -i wlan0 port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on wlan0, link-type EN10MB (Ethernet)

10:34:33.681218 IP imac.57402 > bpf.tcpdump.org.http:

   Flags [S], seq 755525464, win 65535, options [mss 1460,nop,wscale 5,nop,nop,

   TS val 595975353 ecr 0,sackOK,eol], length 0 10:34:33.681793 IP imac.57403 >

bpf.tcpdump.org.http:

   Flags [S], seq 2954861158, win 65535, ...

The second command records the next 100 HTTP packets flowing from or to the IP address 192.139.46.66 in the dump.pcap file:

root# tcpdump -i wlan0 -n -c 100 -w dump.pcap port 80 and host 192.139.46.66

The third example determines packets that flow through the bridge br0 and that contain the specified MAC address (as sender or target):

root# tcpdump -i br0 -en | grep -i '00:50:56:00:D0:56'

Conclusion