tcpdump

Commands
Print Version
tcpdump --version
Prints a list of usable network interfaces to capture from:
tcpdump -D
Utilizes the interface specified to capture on:
tcpdump -i InterfaceName
Do Not Resolve Hostnames:
tcpdump -n
Do Not Resolve Hostnames or Ports:
tcpdump -nn
Capture Ethernet Headers and Data:
tcpdump -e
Show Packet Contents in Hex and ASCII:
tcpdump -X
Show Ethernet Header + Packet Contents in Hex and ASCII
tcpdump -XX
Increase Verbosity:
tcpdump -v
tcpdump -vv
tcpdump -vvv
Show Absolute Sequence Numbers in TCP:
tcpdump -S
Reduce Protocol Information in the Output:
tcpdump -q
Runs a capture on the specified interface and writes the output to a file:
tcpdump -i InterfaceName -w file.pcap
Read the output from a specified file:
tcpdump -r file.pcap
Write Packets to a File
tcpdump -w capture_file.pcap
Filters
Combine Filters Using AND (&&)
tcpdump src host 192.168.1.1 && port 80
Combine Filters Using OR (or)
tcpdump src host 192.168.1.1 or dst host 192.168.1.2
Exclude Specific Traffic Using NOT (not)
tcpdump not udp
Capture a Specific Number of Packets:
tcpdump -c 10
Limit the Amount of Data to Capture from Each Packet:
tcpdump -s 64
Filter by Packet Size:
tcpdump greater 1000
tcpdump less 500
Filter by Source or Destination Host:
tcpdump src host 192.168.1.1
tcpdump dst host 192.168.1.1
Filter by Network
tcpdump net 192.168.1.0/24
Only capture traffic originating from or destined to the IP address or hostname specified:
tcpdump -i (int) host (ip)
Will filter the capture for anything sourcing from or destined to port:
tcpdump -i (int) port (#)
Filter by Port Range
tcpdump portrange 1000-2000
Will utilize a protocols common name to filter the traffic captured:
tcpdump -i (int) proto ICMP
Will filter the capture for any protocol traffic matching their code:
tcpdump -i (int) proto 6
Protocol Number List
  • ICMP (Internet Control Message Protocol) -> 1

  • IGMP (Internet Group Management Protocol) -> 2

  • TCP (Transmission Control Protocol) -> 6

  • UDP (User Datagram Protocol) -> 17

  • OSPF (Open Shortest Path First) -> 89

  • EIGRP (Enhanced Interior Gateway Routing Protocol) -> 88

  • AH (Authentication Header) -> 51

  • ESP (Encapsulating Security Payload) -> 50

  • GRE (Generic Routing Encapsulation) -> 47

  • IPv6 (Internet Protocol version 6) -> 41

  • IPv4 (Internet Protocol version 4) -> 4

  • DCCP (Datagram Congestion Control Protocol) -> 33

  • SCTP (Stream Control Transmission Protocol) -> 132

  • RARP (Reverse Address Resolution Protocol) -> 3

  • PPTP (Point-to-Point Tunneling Protocol) -> 115

  • MPLS (Multiprotocol Label Switching) -> 89

  • X.25 -> 93

  • FDDI (Fiber Distributed Data Interface) -> 97

Last updated