diff --git a/cheatsheets/iptables b/cheatsheets/iptables
new file mode 100644
index 0000000..badc271
--- /dev/null
+++ b/cheatsheets/iptables
@@ -0,0 +1,18 @@
+# Show hit for rules with auto refresh
+watch --interval 0 'iptables -nvL | grep -v "0     0"'
+
+# Show hit for rule with auto refresh and highlight any changes since the last refresh
+watch -d -n 2 iptables -nvL
+
+# Block the port 902 and we hide this port from nmap.
+iptables -A INPUT -i eth0 -p tcp --dport 902 -j REJECT --reject-with icmp-port-unreachable
+
+# Note, --reject-with accept:
+#	icmp-net-unreachable
+#	icmp-host-unreachable
+#	icmp-port-unreachable <- Hide a port to nmap
+#	icmp-proto-unreachable
+#	icmp-net-prohibited
+#	icmp-host-prohibited or
+#	icmp-admin-prohibited
+#	tcp-reset
diff --git a/cheatsheets/ssh b/cheatsheets/ssh
index ee40c57..ce11b52 100644
--- a/cheatsheets/ssh
+++ b/cheatsheets/ssh
@@ -16,5 +16,8 @@ ssh -X -t user@example.com 'chromium-browser'
 # To create a SOCKS proxy on localhost and port 9999
 ssh -D 9999 user@example.com
 
+# -X use an xsession, -C compress data, "-c blowfish" use the encryption blowfish
+ssh user@example.com -C -c blowfish -X
+
 # For more information, see:
 # http://unix.stackexchange.com/q/12755/44856
diff --git a/cheatsheets/tcpdump b/cheatsheets/tcpdump
new file mode 100644
index 0000000..0011635
--- /dev/null
+++ b/cheatsheets/tcpdump
@@ -0,0 +1,63 @@
+# TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP
+# and other packets being transmitted or received over a network. (cf Wikipedia).
+# Note: 173.194.40.120 => google.com
+
+# Intercepts all packets on eth0
+tcpdump -i eth0
+
+# Intercepts all packets from/to 173.194.40.120
+tcpdump host 173.194.40.120
+
+# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
+# -nn => Disables name resolution for IP addresses and port numbers.
+tcpdump -nn -i any host 173.194.40.120 and port 80
+
+# Make a grep on tcpdump (ASCII)
+# -A  => Show only ASCII in packets.
+# -s0 => By default, tcpdump only captures 68 bytes.
+tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent'
+
+# With ngrep
+# -d eth0 => To force eth0 (else ngrep work on all interfaces)
+# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
+ngrep 'User-Agent' host 173.194.40.120 and port 80
+
+# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
+tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any
+
+# Intercepts all packets SYN and FIN of each TCP session.
+tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
+
+# To display SYN and FIN packets of each TCP session to a host that is not on our network
+tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
+
+# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
+tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
+
+# Saving captured data
+tcpdump -w file.cap
+
+# Reading from capture file
+tcpdump -r file.cap
+
+# Show content in hexa
+# Change -x to -xx => show extra header (ethernet).
+tcpdump -x
+
+# Show content in hexa and ASCII
+# Change -X to -XX => show extra header (ethernet).
+tcpdump -X
+
+# Note on packet maching:
+# Port matching:
+# - portrange 22-23
+# - not port 22
+# - port ssh
+# - dst port 22
+# - src port 22
+#
+# Host matching:
+# - dst host 8.8.8.8
+# - not dst host 8.8.8.8
+# - src net 67.207.148.0 mask 255.255.255.0
+# - src net 67.207.148.0/24