The command-line packet capture workhorse. Combine options with a BPF filter expression.
// common options
-i <iface>
Capture interface
-n / -nn
Don't resolve names / ports
-c <n>
Stop after n packets
-w <file>
Write to a .pcap file
-r <file>
Read from a file
-s <len>
Snap length per packet
-A
Payload as ASCII
-X
Payload as hex + ASCII
-e
Show link-level headers
-v / -vv / -vvv
More verbose output
-D
List interfaces
-p
Don't enter promiscuous mode
// filter primitives
[src|dst] host <h>
Match a host (optionally by direction)
[src|dst] net <n>/<l>
Endpoint within a network
[tcp|udp] [src|dst] port <p>
Match a TCP/UDP port
portrange <a>-<b>
A range of ports
tcp / udp / icmp / arp
By protocol
vlan [id]
802.1Q frames
mpls [label]
MPLS packets
less / greater <len>
By packet length
combine with and / && · or / || · not / !
// examples
tcpdump -i eth0 host 10.0.0.1All traffic to/from a host
tcpdump tcp port 80 or 8080HTTP on either port
tcpdump -nn udp dst port not 53UDP, excluding DNS
tcpdump -w cap.pcap -c 100Save 100 packets to a file
// reading a line
timestamp
HH:MM:SS.frac — when it was captured
src > dst
IP.port > IP.port direction
Flags [..]
TCP control flags set
seq / ack
sequence & acknowledgement numbers
win
receive window size
length
payload bytes
// TCP flag notation
[S]
SYN — open request
[S.]
SYN-ACK — open accepted
[.]
ACK — acknowledgement
[P.]
PSH-ACK — data pushed
[F.]
FIN-ACK — closing
[R]
RST — reset / refused
recipes · copy & run
# write a rolling capture to disk, no name resolution
tcpdump -i eth0 -nn -w cap.pcap -C 100 -W 5
# only this TCP conversation, print payload in ASCII
tcpdump -i eth0 -A 'host 10.0.0.1 and tcp port 443'
# SYN packets only (new connections)
tcpdump -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'
# read back a saved capture with a display filter
tcpdump -r cap.pcap -nn 'icmp or arp'