UNIX Tools: tcpdump – packet analysis tool

tcpdump is a common network packet analyzer that runs under the command line. It allows the user to intercept and display packets being transmitted or received over a network to which the computer is attached. tcpdump is mandatory for anyone desiring a thorough understanding of TCP/IP.

tcpdump works on most Unix-like operating systems: BSD, Linux, Mac OS X, Solaris, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. There is also a port of tcpdump for Windows called WinDump and it uses WinPcap, which is a port of libpcap to Windows.

tcpdump basic options

-i any  : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-s : Set the amount of data that is being captured in bytes
-c : Only capture x number of packets, example: 'tcpdump -c 5'
-E : Decrypt IPSEC traffic by providing an encryption key.

Check the manual 'man tcpdump' for a complete list of options.

tcpdump usage

Below are a few options you can use to control the output. The examples given will be in the basic form ( basic + recipes ), so remember to add your own options as needed.


Do not resolve hostnames; print absolute sequence numbers:

tcpdump -nS

Do not resolve hostnames or port names with verbosity:

# tcpdump -nnvvS

A deeper look at the traffic (  adds -X for payload but doesn't grab any more of the packet ) :

# tcpdump -nnvvXS

Heavy packet viewing  ( "s" increases the amount of data that is being captured in bytes; grabbing the whole packet) :

# tcpdump -nnvvXSs 1514


host ( look for traffic based on IP address or hostname if you are not using '-n' ) :

tcpdump host

src, dst ( find traffic from only a source or destination hostname or IP ) :

tcpdump src
tcpdump dst

net ( capture an entire network using CIDR notation) :

# tcpdump net

port ( see only traffic to or from a certain port ) :

# tcpdump port 1234

proto ( works for tcp, udp, and icmp protocols. Note that you don't have to type proto ) :

# tcpdump tcp

src, dst port ( see the traffic based on source or destination port ) :

# tcpdump src port 1234
# tcpdump dst port 1235


View TCP traffic from and destination port 1234:

tcpdump tcp and src and dst port 1234

View the Non-ICMP traffic destined for from the 172.16 network:

tcpdump dst and src net and not icmp

View the traffic originating from the 192.168 network headed for the 10 or 172.16 networks:

tcpdump src net and dst net or

View the traffic that's from and destination ports 1234 or 1235:

tcpdump 'src and \(dst port 1234 or 1235\)'

View the traffic originating from host1 or host2 that isn't to the SSH port:

tcpdump -vv srchost1 or host2 and not dst port 22
Print This Post Print This Post
Comments (0) Trackbacks (1)

No comments yet.

Leave a comment