Command

CommandDescription
-aConverts network and broadcast addresses to names.
-ADisplays each packet (excluding its link level header) in ASCII.
-ePrints the link-level header on each dump line.
-EDecrypt IPSEC traffic by providing an encryption key.
-nAvoids converting addresses (like host addresses) to names.
-NDoes not print domain name qualification of host names.
-SPrints absolute TCP sequence numbers.
-tOmits printing of timestamp on each dump line.
-ttPrints unformatted timestamp on each dump line.
-tttPrints delta (micro-second resolution) between current and previous line.
-ttttPrints timestamp in default format proceeded by date on each dump line.
-vProvides verbose output (slightly more detailed).
-vvProvides more verbose output (more detailed than -v).
-vvvProvides very verbose output (even more detailed than -vv).
-c Exits after receiving number of packets.
-F Uses as a filter file for reading packet filters.
-i Captures packets from . If not specified, tcpdump selects a default interface.
-r Reads packets from .
-s Snaps the packet at bytes. Default is 65535.
-SPrints absolute, rather than relative, TCP sequence numbers.
-w Writes the raw packets to instead of parsing and printing them out.
-xPrints packets in hex.
-XPrints packets in hex and ASCII.
CommandExample usageExplanation
-i anytcpdump -i anyCapture from all interfaces; may require superuser (sudo/su)
-i eth0tcpdump -i eth0Capture from the interface eth0
-c counttcpdump -i eth0 -c 5Exit after receiving count (5) packets
-r captures.pcaptcpdump -i eth0 -r captures.pcapRead and analyze saved capture file captures.pcap
tcptcpdump -i eth0 tcpShow TCP packets only
udptcpdump -i eth0 udpShow UDP packets only
icmptcpdump -i eth0 icmpShow ICMP packets only
iptcpdump -i eth0 ipShow IPv4 packets only
ip6tcpdump -i eth0 ip6Show IPv6 packets only
arptcpdump -i eth0 arpShow ARP packets only
rarptcpdump -i eth0 rarpShow RARP packets only
sliptcpdump -i eth0 slipShow SLIP packets only
-Itcpdump -i eth0 -ISet interface as monitor mode
-Ktcpdump -i eth0 -KDon’t verify checksum
-ptcpdump -i eth0 -pDon’t capture in promiscuous mode

AH ARP BGP CWR DF DHCP DNS ECN ESP FTP GRE HTTP ICMP IGMP IMAP IP display link layer in hex display in hex + ASCII Acronyms Authentication Header (RFC 2402) Address Resolution Protocol (RFC 826) Border Gateway Protocol (RFC 1771) Congestion Window Reduced (RFC 2481) Do not fragment flag (RFC 791) Dynamic Host Configuration Protocol (RFC 2131) Domain Name System (RFC 1035) Explicit Congestion Notification (RFC 3168) Encapsulating Security Payload (RFC 2406) File Transfer Protocol (RFC 959) Generic Route Encapsulation (RFC 2784) Hypertext Transfer Protocol (RFC 1945) Internet Control Message Protocol (RFC 792) Internet Group Management Protocol (RFC 2236) Internet Message Access Protocol (RFC 2060) Internet Protocol (RFC 791) ISAKMP Internet Sec. Assoc. & Key Mngm Proto. (RFC 7296) L2TP Layer 2 Tunneling Protocol (RFC 2661) OSPF POP3 RFC SMTP SSH SSL TCP TLS TFTP TOS UDP Open Shortest Path First (RFC 1583) Post Office Protocol v3 (RFC 1460) Request for Comments Simple Mail Transfer Protocol (RFC 821) Secure Shell (RFC 4253) Secure Sockets Layer (RFC 6101) Transmission Control Protocol (RFC793) Transport Layer Security (RFC 5246) Trivial File Transfer Protocol (RFC 1350) Type of Service (RFC 2474) User Datagram Protocol (RFC 768)

Filter expressionExplanation
src host 127.0.0.1Filter by source IP/hostname 127.0.0.1
dst host 127.0.0.1Filter by destination IP/hostname 127.0.0.1
host 127.0.0.1Filter by source or destination = 127.0.0.1
ether src 01:23:45:AB:CD:EFFilter by source MAC 01:23:45:AB:CD:EF
ether dst 01:23:45:AB:CD:EFFilter by destination MAC 01:23:45:AB:CD:EF
ether host 01:23:45:AB:CD:EFFilter by source or destination MAC 01:23:45:AB:CD:EF
src net 127.0.0.1Filter by source network location 127.0.0.1
dst net 127.0.0.1Filter by destination network location 127.0.0.1
net 127.0.0.1Filter by source or destination network location 127.0.0.1
net 127.0.0.1/24Filter by source or destination network location 127.0.0.1 with the tcpdump subnet mask of length 24
src port 80Filter by source port = 80
dst port 80Filter by destination port = 80
port 80Filter by source or destination port = 80
src portrange 80-400Filter by source port value between 80 and 400
dst portrange 80-400Filter by destination port value between 80 and 400
portrange 80-400Filter by source or destination port value between 80 and 400
ether broadcastFilter for Ethernet broadcasts
ip broadcastFilter for IPv4 broadcasts
ether multicastFilter for Ethernet multicasts
ip multicastFilter for IPv4 multicasts
ip6 multicastFilter for IPv6 multicasts
ip src host mydeviceFilter by IPv4 source hostname mydevice
arp dst host mycarFilter by ARP destination hostname mycar
rarp src host 127.0.0.1Filter by RARP source 127.0.0.1
ip6 dst host mywatchFilter by IPv6 destination hostname mywatch
tcp dst port 8000Filter by destination TCP port = 8000
udp src portrange 1000-2000Filter by source TCP ports in 1000–2000
sctp port 22Filter by source or destination port = 22

-A tcpdump -i eth0 -A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.Without -AWith -A https://stationx.net/wp-content/uploads/2023/02/Screenshot-with-ASCII-sudo-tcpdump-twitter.jpg,https://stationx.net/wp-content/uploads/2023/02/Screenshot-without-ASCII-sudo-tcpdump-A-twitter.jpg -D tcpdump -D Print the list of the network interfaces available on the system and on which tcpdump can capture packets. https://stationx.net/wp-content/uploads/2023/02/Output-of-tcpdump-D.jpg -e tcpdump -i eth0 -e Print the link-level header on each output line, such as MAC layer addresses for protocols such as Ethernet and IEEE 802.11. -F params.conf tcpdump -i eth0 -F /path/to/params.conf Use the file params.conf as input for the filter expression. (Ignore other expressions on the command line.) -n tcpdump -i eth0 -n Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names. -S tcpdump -i eth0 -S Print absolute, rather than relative, TCP sequence numbers. (Absolute TCP sequence numbers are longer.) –time-stamp-precision=tsp tcpdump -i eth0 –time-stamp-precision=nano When capturing, set the timestamp precision for the capture to tsp:• micro for microsecond (default)• nano for nanosecond. -t tcpdump -i eth0 -t Omit the timestamp on each output line. -tt tcpdump -i eth0 -tt Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line. -ttt tcpdump -i eth0 -ttt Print a delta (microsecond or nanosecond resolution depending on the –time-stamp-precision option) between the current and previous line on each output line. The default is microsecond resolution. -tttt tcpdump -i eth0 -tttt Print a timestamp as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line. -ttttt tcpdump -i eth0 -ttttt Print a delta (microsecond or nanosecond resolution depending on the –time-stamp-precision option) between the current and first line on each dump line. The default is microsecond resolution. -u tcpdump -i eth0 -u Print undecoded network file system (NFS) handles. -v tcpdump -i eth0 -v Produce verbose output.When writing to a file (-w option) and at the same time not reading from a file (-r option), report to standard error, once per second, the number of packets captured. -vv tcpdump -i eth0 -vv Additional verbose output than -v -vvv tcpdump -i eth0 -vvv Additional verbose output than -vv -x tcpdump -i eth0 -x Print the headers and data of each packet (minus its link level header) in hex. -xx tcpdump -i eth0 -xx Print the headers and data of each packet, including its link level header, in hex. -X tcpdump -i eth0 -X Print the headers and data of each packet (minus its link level header) in hex and ASCII. -XX tcpdump -i eth0 -XX Print the headers and data of each packet, including its link level header, in hex and ASCII.

CommandExampleExplanation
-w captures.pcaptcpdump -i eth0 -w captures.pcapOutput capture to a file captures.pcap
-dtcpdump -i eth0 -dDisplay human-readable form in standard output
-Ltcpdump -i eth0 -LDisplay data link types for the interface
-qtcpdump -i eth0 -qQuick/quiet output. Print less protocol information, so output lines are shorter.
-Utcpdump -i eth0 -U -w out.pcapWithout -w optionPrint a description of each packet’s contents.With -w optionWrite each packet to the output file out.pcap in real time rather than only when the output buffer fills.
OperatorSyntaxExampleDescription
ANDand, &&tcpdump -n src 127.0.0.1 and dst port 21Combine filtering options joined by “and”
ORor,
EXCEPTnot, !tcpdump dst 127.0.0.1 and not icmpNegate the condition prefixed by “not”
LESSless, <, (<=)tcpdump dst host 127.0.0.1 and less 128Shows packets shorter than (or equal to) 128 bytes in length.< only applies to length 32, i.e., <32.
GREATERgreater, >, (>=)tcpdump dst host 127.0.0.1 and greater 64Shows packets longer than (or equal to) 64 bytes in length.> only applies to length 32, i.e., >32.
EQUAL=, ==tcpdump host 127.0.0.1 = 0Show packets with zero length

Last updated 26 Apr 2024, 15:18 +0530 . history