tcpdump
This program allows you to dump the traffic on a network. tcpdump is able to examine IPv4, ICMPv4, IPv6, ICMPv6, UDP, TCP, SNMP, AFS BGP, RIP, PIM, DVMRP, IGMP, SMB, OSPF, NFS and many other packet types.
It can be used to print out the headers of packets on a network interface, filter packets that match a certain expression. You can use this tool to track down network problems, to detect attacks or to monitor network activities.
Usage
Usage: tcpdump [options] [ expression ]
| Option | Description |
|---|---|
-A | Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. No effect when -x[x] or -X[X] options are used. |
-b | Print the AS number in BGP packets using “asdot” rather than “asplain” representation, in RFC 5396 terms. |
-B buffer_size --buffer-size=buffer_size | Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes). |
-c count | Exit after receiving or reading count packets. If the --skip option is used, the count starts after the skipped packets. |
--count | Print only on stdout the packet count when reading capture file(s) instead of parsing/printing the packets. Filters apply if specified. |
-C file_size | Before writing a raw packet to a savefile, check if the file is larger than file_size; if so, rotate files. Default unit is millions of bytes (1,000,000). Suffixes k/K, m/M, g/G change units to KiB, MiB, GiB respectively. |
-d | Dump compiled packet-matching code in human-readable form and stop. DLT-specific. Behavior varies depending on -r, -i, or -y flags. |
-dd | Dump packet-matching code as a C array of struct bpf_insn structures. |
-ddd | Dump packet-matching code as decimal numbers (preceded with a count). |
-D --list-interfaces | Print list of available network interfaces for capture, including number, name, and description. |
-e | Print the link-level header on each dump line (e.g., MAC addresses). |
-E | Use spi@ipaddr algo:secret to decrypt IPsec ESP packets. Multiple entries allowed. Algorithms: des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. Secrets can be ASCII or hex (0x...). For debugging only. Can also read from file. |
-f | Print “foreign” IPv4 addresses numerically. Intended to bypass issues in symbolic resolution (e.g., NIS hangs). Behavior depends on interface netmask. |
-F file | Use file as input for the filter expression. Any filter expression on the command line is ignored. |
-g --ip-oneline | Do not insert a line break after the IP header in verbose mode. |
-G rotate_seconds | Rotate the dump file specified with -w every rotate_seconds seconds. The filename should include a strftime(3)-compatible time format. If filenames are not unique, files may be overwritten. When used with -C, filenames will be in the form of file<count>. |
-h --help | Print the tcpdump and libpcap version strings, print a usage message, and exit. |
--version | Print the tcpdump and libpcap version strings and exit. |
-H | Attempt to detect 802.11s draft mesh headers. |
-i interface --interface=interface | Listen on the specified interface. If omitted, selects the lowest-numbered, active interface (excluding loopback). Special value any captures from all regular interfaces. May be specified by name or number (as printed by -D). |
-I --monitor-mode | Put the interface into monitor mode (Wi-Fi only, OS-dependent). Adapter may disconnect from network. Affects output of -L. |
--immediate-mode | Capture packets immediately as they arrive, without buffering. Default when printing to terminal. |
-j tstamp_type --time-stamp-type=tstamp_type | Set the time stamp type for capture to tstamp_type (see pcap-tstamp(7)). Not all types valid for all interfaces. |
-J --list-time-stamp-types | List supported time stamp types for the specified interface and exit. |
--time-stamp-precision=tstamp_precision | Set the time stamp precision for capture (or reading) to micro or nano. High-precision support depends on platform/hardware. |
--micro | Shorthand for --time-stamp-precision=micro. Truncates time stamps if reading from nanosecond-precision file. |
--nano | Shorthand for --time-stamp-precision=nano. Adds trailing zeroes when reading from microsecond-precision file. |
-K --dont-verify-checksums | Skip verification of IP/TCP/UDP checksums. Useful if checksums are offloaded to hardware. |
-l | Make stdout line-buffered. Allows viewing data during capture. On Windows, means unbuffered (writes each character). Similar to -U, which buffers per packet. |
-L --list-data-link-types | List supported data link types for the interface and exit. Mode-dependent (e.g., different types in monitor vs non-monitor mode). |
--lengths | Print the captured and original packet lengths. caplen is the captured length; len is the original wire length. |
-m module | Load SMI MIB module definitions from module. Can be used multiple times. |
-M secret | Use secret as the shared key for validating TCP-MD5 digests (RFC 2385). |
-n | Don’t convert addresses and ports to names. |
-N | Don’t print domain qualification in hostnames (e.g., print nic instead of nic.ddn.mil). |
-# --number | Print a packet number at the beginning of each line. |
-O --no-optimize | Disable packet-matching code optimizer. Useful for debugging. |
-p --no-promiscuous-mode | Don’t set interface to promiscuous mode. May already be in promiscuous mode for other reasons. |
--print | Print parsed packets even if writing raw packets to a file with -w. |
--print-sampling=nth | Print every nth packet. Enables --print and -S. Speeds up processing by skipping parsing of other packets. |
-Q direction --direction=direction | Capture packets in the specified direction: in, out, or inout. Not available on all platforms. |
-q | Quick output; print less protocol detail. |
-r file | Read packets from file (created with -w or compatible tools). Use - for stdin. |
-S --absolute-tcp-sequence-numbers | Print absolute TCP sequence numbers. |
-s snaplen --snapshot-length=snaplen | Capture snaplen bytes from each packet (default: 262144). Larger snaplen increases processing time and decreases buffering. Smaller values may truncate data. |
--skip count | Skip the first count packets before writing or printing. |
-T type | Force interpretation of packets as a specified protocol type (e.g., dns, quic, rpc, vxlan, etc.). |
-t | Don’t print timestamps. |
-tt | Print timestamps in seconds since the epoch (with fractional seconds). |
-ttt | Print time delta between current and previous line. Resolution depends on --time-stamp-precision. |
-tttt | Print timestamp with date and time (HH:MM:SS.sss). |
-ttttt | Print time delta between current and first line. |
-u | Print undecoded NFS handles. |
-U --packet-buffered | Flush output per packet (printed or saved). If -w is used, raw output is packet-buffered. If not, printed output is packet-buffered. |
-v | Verbose output. Prints extra IP header fields and enables integrity checks. Also reports packets captured per second if writing to a file (-w). |
-vv | More verbose. Includes additional fields like NFS replies and full SMB decoding. |
-vvv | Most verbose. Includes full telnet option decoding. With -X, shows telnet options in hex. |
-V file | Read a list of filenames from file. Use - for stdin. |
-w file | Write raw packets to file. Use - for stdout. Buffered unless -U is used. Recommended extensions: .pcap, .cap, .dmp. |
-W filecount | With -C, limits number of output files and overwrites old files in a rotating buffer. With -G, stops after creating filecount files. |
-x | Print packet data (minus link header) in hex. No effect when -X[X] is used. |
-xx | Print packet data including link header in hex. No effect when -X[X] is used. |
-X | Print headers and packet data (minus link header) in both hex and ASCII. Useful for protocol analysis. |
-XX | Print headers and packet data including link header in hex and ASCII. |
-y datalinktype --linktype=datalinktype | Set data link type for capture or code compilation. See -L or -d. |
-z postrotate-command | Run postrotate-command file after rotating files (with -C or -G). E.g., -z gzip. Must be on systems that support subprocesses. |
-Z user --relinquish-privileges=user | After setup, drop root privileges and switch to user. Group ID changes to user’s primary group. Can also be set at compile time. |
Examples
Capture packets on a specific interface
tcpdump -i eth0Capture only a specific number of packets
tcpdump -c 10 -i eth0Display packet contents in ASCII and hex
tcpdump -X -i eth0Filtering by Protocol
Capture only TCP traffic
sudo tcpdump -i eth0 tcpCapture only UDP traffic
sudo tcpdump -i eth0 udpCapture only ICMP (ping) traffic
sudo tcpdump -i eth0 icmpFiltering by Port or Host
Capture traffic on port 80 (HTTP)
sudo tcpdump -i eth0 port 80Capture traffic from/to a specific host
sudo tcpdump -i eth0 host 192.168.1.10Capture traffic from a specific source IP
sudo tcpdump -i eth0 src 192.168.1.10Capture traffic to a specific destination IP
sudo tcpdump -i eth0 dst 10.0.0.1Saving and Reading from a File
Save captured packets to a file
sudo tcpdump -i eth0 -w capture.pcapRead packets from a saved file
tcpdump -r capture.pcapAdvanced Filters
Capture packets from a specific port and host
sudo tcpdump -i eth0 tcp and port 22 and host 192.168.1.10Capture only outbound traffic
sudo tcpdump -i eth0 'src host 192.168.1.10'Capture traffic larger than 1000 bytes
sudo tcpdump -i eth0 greater 1000