Packet captures

-i any

tcpdump -i any

Capture from all interfaces; may require superuser (sudo/su)

-i eth0

tcpdump -i eth0

Capture from the interface eth0

-c count

tcpdump -i eth0 -c 5

Exit after receiving count (5) packets

-r captures.pcap

tcpdump -i eth0 -r captures.pcap

Read and analyze saved capture file captures.pcap

tcp

tcpdump -i eth0 tcp

Show TCP packets only

udp

tcpdump -i eth0 udp

Show UDP packets only

icmp

tcpdump -i eth0 icmp

Show ICMP packets only

ip

tcpdump -i eth0 ip

Show IPv4 packets only

ip6

tcpdump -i eth0 ip6

Show IPv6 packets only

arp

tcpdump -i eth0 arp

Show ARP packets only

rarp

tcpdump -i eth0 rarp

Show RARP packets only

slip

tcpdump -i eth0 slip

Show SLIP packets only

-I

tcpdump -i eth0 -I

Set interface as monitor mode

-K

tcpdump -i eth0 -K

Don’t verify checksum

-p

tcpdump -i eth0 -p

Don’t capture in promiscuous mode

src host 127.0.0.1

Filter by source IP/hostname 127.0.0.1

dst host 127.0.0.1

Filter by destination IP/hostname 127.0.0.1

host 127.0.0.1

Filter by source or destination = 127.0.0.1

ether src 01:23:45:AB:CD:EF

Filter by source MAC 01:23:45:AB:CD:EF

ether dst 01:23:45:AB:CD:EF

Filter by destination MAC 01:23:45:AB:CD:EF

ether host 01:23:45:AB:CD:EF

Filter by source or destination MAC 01:23:45:AB:CD:EF

src net 127.0.0.1

Filter by source network location 127.0.0.1

dst net 127.0.0.1

Filter by destination network location 127.0.0.1

net 127.0.0.1

Filter by source or destination network location 127.0.0.1

net 127.0.0.1/24

Filter by source or destination network location 127.0.0.1 with the tcpdump subnet mask of length 24

src port 80

Filter by source port = 80

dst port 80

Filter by destination port = 80

port 80

Filter by source or destination port = 80

src portrange 80-400

Filter by source port value between 80 and 400

dst portrange 80-400

Filter by destination port value between 80 and 400

portrange 80-400

Filter by source or destination port value between 80 and 400

ether broadcast

Filter for Ethernet broadcasts

ip broadcast

Filter for IPv4 broadcasts

ether multicast

Filter for Ethernet multicasts

ip multicast

Filter for IPv4 multicasts

ip6 multicast

Filter for IPv6 multicasts

ip src host mydevice

Filter by IPv4 source hostname mydevice

arp dst host mycar

Filter by ARP destination hostname mycar

rarp src host 127.0.0.1

Filter by RARP source 127.0.0.1

ip6 dst host mywatch

Filter by IPv6 destination hostname mywatch

tcp dst port 8000

Filter by destination TCP port = 8000

udp src portrange 1000-2000

Filter by source TCP ports in 1000–2000

sctp port 22

Filter by source or destination port = 22

-w captures.pcap

tcpdump -i eth0 -w captures.pcap

Output capture to a file captures.pcap

-d

tcpdump -i eth0 -d

Display human-readable form in standard output

-L

tcpdump -i eth0 -L

Display data link types for the interface

-q

tcpdump -i eth0 -q

Quick/quiet output. Print less protocol information, so output lines are shorter.

-U

tcpdump -i eth0 -U -w out.pcap

Without -w option Print a description of each packet's contents. With -w option Write each packet to the output file out.pcap in real time rather than only when the output buffer fills.

tcpdump -r outfile.pcap src host 10.0.2.15

Print all packets in the file outfile.pcap coming from the host with IP address 10.0.2.15

tcpdump -i any ip and not tcp port 80

Listen for non-HTTP packets (which have TCP port number 80) on any network interface

tcpdump -i eth0 -n >32 -w pv01.pcap -c 30

Save 30 packets of length exceeding 32 bytes to captures.pcap without DNS resolution on the eth0 network interface

tcpdump -AtuvX icmp

Capture ICMP traffic and print ICMP packets in hex and ASCII and the following features: With: • headers • data • undecoded NFS handles Without: • link level headers • timestamps.

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.