The list of network interfaces where tcpdump can capture traffic:
|
1 |
tcpdump -D |
Capture traffic on eth0:
|
1 |
tcpdump -i eth0 |
Capture traffic on all available network interfaces (does not work in promiscuous mode. Linux kernel 2.2 and up is needed):
|
1 |
tcpdump -i any |
Show more information while capturing packets:
|
1 |
tcpdump -v |
Show even more information:
|
1 |
tcpdump -vv |
A lot of information:
|
1 |
tcpdump -vvv |
…also show packet’s content in hex and ASCII without channel level header:
|
1 |
tcpdump -v -X |
Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
|
1 |
tcpdump -v -XX |
Be less verbose (than the default) while capturing packets:
|
1 |
tcpdump -q |
Limit the capture to 100 packets:
|
1 |
tcpdump -c 100 |
Record the packet capture to a file called capture.cap:
|
1 |
tcpdump -w capture.cap |
Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
|
1 |
tcpdump -v -w capture.cap |
Display the packets of a file called capture.cap:
|
1 |
tcpdump -r capture.cap |
Display the packets using maximum detail of a file called capture.cap:
|
1 |
tcpdump -vvv -r capture.cap |
Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
|
1 |
tcpdump -n |
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
|
1 |
tcpdump -n dst host 192.168.1.1 |
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
|
1 |
tcpdump -n src host 192.168.1.1 |
Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
|
1 |
tcpdump -n host 192.168.1.1 |
Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
|
1 |
tcpdump -n dst net 192.168.1.0/24 |
Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
|
1 |
tcpdump -n src net 192.168.1.0/24 |
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
|
1 |
tcpdump -n net 192.168.1.0/24 |
Capture any packets where the destination port is 23. Display IP addresses and port numbers:
|
1 |
tcpdump -n dst port 23 |
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
|
1 |
tcpdump -n dst portrange 1-1023 |
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
|
1 |
tcpdump -n tcp dst portrange 1-1023 |
Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
|
1 |
tcpdump -n udp dst portrange 1-1023 |
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
|
1 |
tcpdump -n "dst host 192.168.1.1 and dst port 23" |
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
|
1 |
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)" |
Capture any ICMP packets:
|
1 |
tcpdump -v icmp |
Capture any ARP packets:
|
1 |
tcpdump -v arp |
Capture either ICMP or ARP packets:
|
1 |
tcpdump -v "icmp or arp" |
Capture any packets that are broadcast or multicast:
|
1 |
tcpdump -n "broadcast or multicast" |
Capture 500 bytes of data for each packet rather than the default of 68 bytes:
|
1 |
tcpdump -s 500 |
Capture all bytes of data within the packet:
|
1 |
tcpdump -s 0 |
