tcpdump – dump traffic on a network


tcpdump [-adeflnNOpqRStuvxX][-c count]

[-C file_size][-F file]

[-i interface][-m module][-r file]

[-s snaplen][-T type][-U user][-w file]

[-E algo:secret][expression]


Tcpdump prints the headers of packets on a network interface that matches the boolean expression.

-w flag, save the packet data to a file

-r flay, read from a saved packet file rather then read packets from a network interface

Tcpdump will continue capturing packets until it is interrupted (ctrl-c or kill command)

If it is started with -c flay, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or until specified number of packets are processed

When tcpdup is done capturing packets, it will report counts of:

-packets “received by filters”

-packets “dropped by kernel”

Note: You must be root but reading a saved packet file doesn’t require privileges




Convert network and broadcast addresses to names


exit after receiving count packets


Before writing a raw packet to a savefile, check to see if file is larger than file_size and if it is, close the current savefile and open a new one.


dump the comiled packet-matching code in a human readable from to standard output and stop


print the link-level header on each dump line


print ‘foreign internet addresses numerically instead of symbolically


use file as input for the filter expression


listen on interface


useful if you want to see the data while capturing it


load smi mib module definitions from file module


don’t convert host addresses to names (got to avoid dns lookups)


don’t convert protocol and port numbers to names


don’t print domain name qualifications of hosts


less print protocol info so output is shorter


read packets from file (that has been created with -w)


print absolute rather then relative TCP sequence numbers


force packets selected by expression to be interpreted the specified type

Currently known types:

-cnfp (cisco netflow protocol)

-rpc (remote procedure call

-rtp (real-time applications protocol)

-rtcp (real time application control protocol)

-snmp (simple network management protocol)

-vat (visual audio tool)

-wb (distributed white board)


dont print a timestamp on each dump line


print an unformatted time stamp on each line


print undecoded NFS handles


write the raw packets to file rather then parsing and printing them out. they can later be printed with the -r option


print each packet in hex


when printing hex, print ascii too



qualifiers say what kind of thing the id name or number refers to.

possible types are:

-host (host foo)

-net (net 128.3)

-port (port 20)

if no type qualifier host is assumed


qualifiers specify a particular transfer direction to and/or from id

possible directions are:

-src (src foo)

-dst (dst net 128.3)

-src or dst (src or dst port ftp-data)

– src and dst (src and dst port ftp-data)

‘src or dst’ is assumed


qualifiers restrict the match to a particular protocol

possible protos are:












Allowed primitives are:


dst host host

true if the IPv4/v6 destination field of the packet is host, which maybe the address or name

src host host

true if the ipv4/v6 source field of the packet is host

host host

true if the ipv4/v6 soure or destination of the packet is host

any of the above host expressions can be prepended with the keyboards


ip host host

which is the same as:

ether proto \ip and host host