Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance
Home/Tools/TCPDump Command Builder

Free Tool

TCPDump Command Builder

Visually build tcpdump commands for network traffic analysis and DDoS forensics. Select options, see the command update in real-time, and copy with one click.

Generated Command
sudo tcpdump -i eth0

Quick Presets

Interface & Capture

Use "any" to capture on all interfaces
-c flag; leave empty for continuous
-s flag; 0 = full packet
-w flag; saves as PCAP for Wireshark analysis

Display Options

Protocol Filter

Only applies when protocol is TCP

Host & Port Filter

Capture all traffic for a network
Note: tcpdump requires root privileges (sudo). Capturing on production systems can impact performance at very high packet rates. Use -c to limit capture size and -w to save to file for offline analysis. PCAP files can contain sensitive data; handle them securely.

TCPDump Flag Reference

-i <iface>

Specify the network interface to listen on. Use "any" for all interfaces.

-c <count>

Capture only this many packets, then stop. Useful for quick samples.

-w <file>

Write raw packets to a PCAP file. Open later in Wireshark for analysis.

-n / -nn

Skip DNS resolution (-n) and port name resolution (-nn). Much faster output.

-v / -vv / -vvv

Increasing verbosity. Shows TTL, ID, IP options, ICMP details, etc.

-X

Print packet data in hex and ASCII. Essential for payload inspection.

-A

Print packet payload in ASCII only. Great for HTTP traffic inspection.

-e

Show link-layer (Ethernet) headers. Useful for VLAN/MAC analysis.

-s <len>

Snap length: how many bytes per packet to capture. 0 = entire packet.

-tttt

Print timestamps with date. Makes correlation with logs much easier.

tcp[tcpflags]

Filter by TCP flag bits. Detect SYN floods, RST storms, and more.

-r <file>

Read packets from a PCAP file instead of live capture. For offline analysis.

Protect your infrastructure with Flowtriq

Detect DDoS attacks in under 1 second. Classify attack types automatically. Get instant alerts.

Start your free trial →
Export your results

FAQ

Frequently Asked Questions

How do I use tcpdump to detect a DDoS attack?

Run sudo tcpdump -i eth0 -n -c 1000 to capture a sample. Look for: single-protocol floods, SYN-only packets, uniform packet sizes (amplification), or high PPS from a small IP set. Add -w attack.pcap to save for analysis. Use tcp[tcpflags] & tcp-syn != 0 filters to isolate SYN floods.

What tcpdump filter captures only SYN flood traffic?

tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0 captures TCP SYN packets without ACK — the signature of a SYN flood. Combine with -nn to skip DNS resolution and -c 10000 -w syn_flood.pcap to capture 10,000 packets for offline analysis.

How do I save tcpdump output to a PCAP file for Wireshark?

Use tcpdump -i eth0 -w output.pcap to write a binary PCAP. Add -C 100 to rotate at 100MB and -W 10 to keep only the last 10 files (ring buffer). Open the resulting .pcap directly in Wireshark for graphical analysis and display filter application.