Capture packets with IP address without DNS resolution
tcpdump -n -i eth0
Capture packets with proper readable timestamp
tcpdump -n -tttt -i eth0
Read packets only longer or smaller than N bytes
tcpdump -w capture.pcap greater 1024 tcpdump -w capture.pcap less 1024
Receive only the packets of a specific protocol type
tcpdump -i eth0 arp
Receive packets flows on a particular port
tcpdump -i eth0 port 22
Capture packets for particular destination IP and Port
tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
Capture TCP communication packets between two hosts
tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\)
Capture all the packets other than arp and rarp 'and' 'or' and 'not' condition are used to filter the packets
tcpdump -i eth0 not arp and not rarp
Reading PCAPs
Header text
Header text
Reading pcap file
tcpdump -r data.pcap
Viewing all headers
tcpdump -e -nn -vv -r data.pcap
Viewing hexadecimal data
tcpdump -XX -r data.pcap
TCPDump Parameters
Modifiers
Symbol
Words
!
not
&&
and
||
or
Examples
Filter
Description
udp dst port not 53
UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2
Traffic between these hosts
tcp dst port 80 or 8080
Packets to either TCP port
Protocol keywords
Keywords
arp
ether
icmp
ip
ip6
ppp
rarp
tcp
udp
wlan
TCP Flags
Flag Keywords
tcp-urg
tcp-rst
tcp-ack
tcp-syn
tcp-psh
tcp-fin
Capture Filter Primitives
Filter
Description
[src|dst] host <host>
Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost>
Matches a host as the Ethernet source, destination, or either
gateway host <host>
Matches packets which used host as a gateway
[src|dst] net <network>/<len>
Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port>
Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2>
Matches TCP or UDP packets to/from a port in the given range
less <length>
Matches packets less than or equal to length
greater <length>
Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol>
Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast
Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast
Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>]
Matches 802.11 frames based on type and optional subtype
vlan [<vlan>]
Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>]
Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr>
Matches packets by an arbitrary expression
Command Line Options
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don't print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
Cookies help us deliver our services. By using our services, you agree to our use of cookies.