tcpdump

dump traffic on a network

tcpdump [ -AbdDefhgHIJKlLnNOpPqRStuUvxX ]
[ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
[ -m module ] [ -M secret ]
[ -w file ][ -r file ]
[ -s snaplen ] [ -T type ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postRotate-command ] [ -Z user ]
[ -Q packet-metadata-filter ]
[ expression]

iThis is from the man page for tcpdump version 4.3.0 -- Apple version 56,
libpcap version 1.3.0 - Apple version 41
see -h
The latest release as of 11/05/16 from tcpdump.org is Version: 4.8.1 / 1.8.1,
the documentation is current as of September 2015
Severly terseified by DG12
see the man page for the true(?) story

Outputs packets on a network interface that match the boolean expression.

-w, saves the packet data to a file for later analysis,
-r, reads from a saved file .
In all cases, only packets that match expression will be processed.

Continues until it is interrupted by a SIGINT signal (generated, by typing the interrupt character, typically ^C) or
a SIGTERM signal (typically generated with the kill command) or
Using -c the specified number of packets have been processed.

On SIGINFO ( typing status character, frequently ^T, set via stty status ^T) reports:
   packets captured
   packets received by filter (depends on the OS and it's configuration)
   packets dropped by kernel (due to a lack of buffer space,
     by the packet capture mechanism in the OS

Reading packets from a network interface requires privileges, from a saved packet file doesn't .

Example

Use sudo tcpdump -i en1 host 192.168.1.12 and udp port 514 # to verify syslog entries are being forwarded.

Options

-D
--list-interfaces
Display the interfaces which tcpdump can capture.
name or the number can be supplied to -i
Example:
 1.en0
 2.fw0
 3.en1
 4.p2p0
 5.lo0

-i
--interface=interface

default:
Darwin systems: pseudo set of interfaces (excludes loopback and tunnel).
Other OSes, searches for the lowest numbered, configured, up interface (excluding loopback).

pktap followed by a list of interfaces captures packet from multiple interfaces.
For example, to capture on the loopback and en0 :

tcpdump -i pktap,lo0,en0

all or pktap,all includes loopback and tunnel .

pktap pseudo interface provides for packet metadata using the default PKTAP data link type and files are written in the Pcap-ng file format.
The RAW data link type must be used to use the pcap-savefile format with a ptkap

iptap captures packets at the IP layer as they are passed to the I/O routines of the IP protocol handlers.

any on Linux captures packets from all interfaces.

-r file Read packets from file (created with -w ). Standard input if file is -.
-l Make stdout line buffered. helpful to view output while capturing it to a file.

tcpdump -l | tee dat # have data from stdout also go to dat
   or
tcpdump -l > dat & tail -f dat # send output to dat and have tail show it

-F ifile Use ifile as input for the filter expression (expression on the command line is ignored).
-V ifRead a list of filenames from file. Standard input is used if file is ``-''.

-Q filter expression is based on packet metadata information like interface or process name.
-w of Write raw packets to of, to be processed with -r later .
Standard output is used if of is -. Files will be owned by root see -Z

Output will be buffered so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. see -U

-C MBClose the save file when it reaches MB and open a new one.
New filenames will have an increasing numeric suffix.
-G secs rotates the dump file every seconds.
With -C , filenames will take the form of `fileCount'.
With -w , filenames must include a time format as defined by strftime(3)strftime
Example PLUTO-%F_%X
PLUTO-2015-08-25_17:28:43
. If no time format is specified, each new file will overwrite the previous.
-W n with -C limits the number of files, creating a 'rotating' buffer. filenames include enough leading 0s to for the maximum n, allowing them to sort correctly.

With -G will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit.
With -C as well, the behavior will result in cyclical files per timeslice.

report number of packets every 10 seconds.

-z command in conjunction with -C or -G (file closing criteria size or time),
spawn command file where file is the savefile being closed after each rotation.
example, -z gzip

Runs in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process.

To use a command that takes flags or different arguments, write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command

options affecting output format
-k t Control the display of packet metadata via an optional metadata_arg argument. useful when displaying packet saved in the pcap-ng file or with interfaces that support PKTAP

Default, any available packet metadata information is output.

                     I     interface name (or interface ID)
                     N     process name
                     P     process ID
                     S     service class
                     D     direction
                     C     comment
This is an Apple modification. dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).

-n no DNS lookup, i.e. Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

-N Don't output domain name qualification of host names. Example nic instead of nic.ddn.mil.
-f `foreign' IPv4 addresses numerically rather than symbolically
The test for `foreign' is done using the address and netmask.
output the packet number at the beginning of each line.
-S output absolute, rather than relative, TCP sequence numbers.
timestamp formats
-ttt delta between current and previous line
00:00:00.000000 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
00:00:01.715637 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
00:00:02.723892 IP smackerpro.germans.50015 > 192.168.1.255.canon-bjnp2: UDP, length 16
00:00:00.000170 IP smackerpro.germans.63948 > all-systems.mcast.net.canon-bjnp2: UDP, length 16
00:00:01.553977 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
-t Don't output a timestamp
-tttt proceeded by date
2015-08-24 20:38:18.302298 IP6 kitchen.local.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
2015-08-24 20:38:18.488840 ARP, Request who-has rtr.germans (00:7f:28:cc:a9:f1 (oui Unknown)) tell smackerpro.germans, length 28
2015-08-24 20:38:18.493460 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
2015-08-24 20:38:18.493479 IP smackerpro.germans.61993 > rtr.germans.domain: 43740+ PTR? 2.0.0.0.1.0. … 0.2.0.f.f.ip6.arpa. (90)
2015-08-24 20:38:18.515142 IP rtr.germans.domain > smackerpro.germans.61993: 43740 NXDomain 0/1/0 (160)
-ttttt delta between current and first line
00:00:00.000000 IP smackerpro.germans.58805 > 192.168.1.255.canon-bjnp2: UDP, length 16
00:00:00.000458 IP smackerpro.germans.55641 > all-systems.mcast.net.canon-bjnp2: UDP, length 16
00:00:00.943611 IP smackerpro.germans.64954 > rtr.germans.domain: 36632+ PTR? 255.1.168.192.in-addr.arpa. (44)
00:00:00.970220 IP rtr.germans.domain > smackerpro.germans.64954: 36632 NXDomain 0/0/0 (44)
-tt unformatted timestamp
1440463224.469005 IP smackerpro.germans.59385 > 192.168.1.255.canon-bjnp2: UDP, length 16
1440463224.469114 IP smackerpro.germans.57110 > all-systems.mcast.net.canon-bjnp2: UDP, length 16
1440463224.565954 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
1440463224.972287 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
1440463224.973449 IP6 kitchen.local.59525 > ff02::1:3.llmnr: UDP, length 22
1440463224.974452 IP kitchen.germans.58481 > 224.0.0.252.llmnr: UDP, length 22
1440463225.074848 IP6 kitchen.local.59525 > ff02::1:3.llmnr: UDP, length 22
1440463225.075862 IP kitchen.germans.58481 > 224.0.0.252.llmnr: UDP, length 22
default
20:43:04.592705 ARP, Request who-has rtr.germans (00:7f:28:cc:a9:f1 (oui Unknown)) tell smackerpro.germans, length 28
20:43:04.598040 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
-t n alternate form :
                     0     time
                     1     no time
                     2     unformatted timestamp
                     3     microseconds since previous line
                     4     date and time
                     5     microseconds since first line
May be specified more than once to display more than one
-j tstamp_type Set the time stamp type, names are given in pcap-tstamptype(7); not all the types listed there will necessarily be valid for any given interface.
-J List time stamp types exit. Time stamp type cannot be set for pktap
-c count Exit after receiving count packets.
-q Quick (quiet?) less protocol information
-v verbose (slightly more) .
time to live, identification, total length and options in an IP packet.
-v -v acknowledgement packets and additional header information is output, such as the the RX call ID, call number, sequence number, serial number, and the RX packet flags.
The MTU negotiation information is also output from RX ack packets.

Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

-vvmore verbose . For example, additional fields are outputed from NFS reply packets, and SMB packets are fully decoded.

-vvv Even more verbose . For example, telnet SB ... SE options are outputed in full. With -X Telnet options are outputed in hex as well. -v -v -v the security index and service id are output.

-A ASCII. (minus its link level header)
-x headers and data in heX (minus its link level header). The smaller of the entire packet or snaplen bytes will be outputed. the entire link layer packet, for link layers that pad (e.g. Ethernet), the padding bytes will also be output when the higher layer packet is shorter than the required padding.
-X headers and data in hex & ASCII. (minus its link level header)
-xx headers, data and link level header, in hex.
-XX headers , data , including its link level header, in hex and ASCII. (big)
-e link-level header on each dump line.
-s snaplen select only snaplen bytes from each packet.
Truncation is indicated with [|proto],
  where proto is the name of the protocol level at which the truncation occurred.
Processing more data increases the amount of time it takes to process, decreases the amount of buffering and may cause packets to be lost.
Limit snaplen to the smallest number that will capture the protocol information of interest .
snaplen of 0 sets it to the default of 65535.
 tcpdump -s170
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 170 bytes
21:11:25.505529 IP 169.254.1.71.51717 > 169.254.1.255.commplex-main: UDP, length 12
21:11:27.250939 IP smackerpro.germans.58906 > 192.168.1.255.canon-bjnp2: UDP, length 16
21:11:27.251041 IP smackerpro.germans.53293 > all-systems.mcast.net.canon-bjnp2: UDP, length 16
21:11:27.452579 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
21:11:28.480467 IP 169.254.1.71.21302 > broadcasthost.21302: UDP, length 680
21:11:30.011403 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.012635 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.013558 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
21:11:30.014727 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.015971 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.017047 IP6 kitchen.local.54991 > ff02::1:3.llmnr: UDP, length 25
21:11:30.018023 IP kitchen.germans.51970 > 224.0.0.252.llmnr: UDP, length 25
21:11:30.113817 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.114988 IP6 kitchen.local.54991 > ff02::1:3.llmnr: UDP, length 25
21:11:30.115981 IP kitchen.germans.51970 > 224.0.0.252.llmnr: UDP, length 25
21:11:30.319288 IP kitchen.germans.57004 > 239.255.255.250.ssdp: UDP, length 133
21:11:30.421988 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
21:11:30.740267 ARP, Request who-has rtr.germans (00:7f:28:cc:a9:f1 (oui Unknown)) tell smackerpro.germans, length 28
21:11:30.744062 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
21:11:30.744082 IP smackerpro.germans.54379 > rtr.germans.domain: 9601+[|domain]
21:11:30.770767 IP rtr.germans.domain > smackerpro.germans.54379: 9601 NXDomain[|domain]
21:11:32.471347 IP real-world-systems.com.ssh > smackerpro.germans.54464: Flags [P.], seq 64:128, ack 33, win 340, options [nop,nop,TS[|tcp]>
21:11:32.471401 IP smackerpro.germans.54464 > real-world-systems.com.ssh: Flags [.], ack 128, win 8188, options [nop,nop,TS[|tcp]>
21:11:32.471516 IP smackerpro.germans.54464 > real-world-systems.com.ssh: Flags [P.], seq 33:65, ack 128, win 8192, options [nop,nop,TS[|tcp]>
21:11:32.555693 IP real-world-systems.com.ssh > smackerpro.germans.54464: Flags [.], ack 65, win 340, options [nop,nop,TS[|tcp]>
-u output undecoded NFS handles.
special options
-U Unbuffered output.
When packet analysis is complete, it will be written to the output.
Default: wait until the output buffer fills.

-g Do not insert line break after IP header in verbose mode for easier parsing.
-P Use the pcap-ng file format. Apple modification.
-H Attempt to detect 802.11s draft mesh headers.
-b output the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.
-B
--buffer-size=KiB
Set the operating system capture buffer size (1024 bytes).
-L
--list-data-link-types
List data link types, in the specified mode, and exit.
Data link types for pktap (use -y to set):
RAW (Raw IP)
PKTAP (Packet Tap)
-I
--monitor-mode
802.11 Wi-Fi: Put the interface in monitor mode;
the adapter might disassociate from the network

If -I isn't specified, only those link-layer types available when not in monitor mode will be shown.
If -I is     specified, only those link-layer types available when      in monitor mode will be shown.

Affects output of -L (list link types).

-E decrypt packets, only if tcpdump was compiled with cryptography enabled.
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi.
This combination may be repeated with comma or newline separation.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default des-cbc.
secret is the ASCII text for ESP secret key. preceed value with 0x for hex.
The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true `secret' key is discouraged. By presenting IPsec secret key onto command line it is visible to others, via ps and other occasions.
-K
--dont-verify-checksums
Don't verify IP, TCP, or UDP checksums. for interfaces that create checksum via hardware; otherwise,
outgoing TCP checksums will be flagged as bad.

-p
--no-promiscuous-mode
Don't put the interface into promiscuous mode.
The interface might already be in promiscuous mode ;
-p cannot be used as an abbreviation for ether host {local-hw-addr} or ether broadcast.

-m moduleLoad SMI MIB module definitions from file module. can be used several times to load several MIB modules

-M Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
-d Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd Dump packet-matching code as a C program fragment.
-ddd Dump packet-matching code as decimal numbers (preceded with a count).

-O
--no-optimize
Do not run the packet-matching code optimizer. Only useful if you suspect a bug in the optimizer.

-T ttt Force packets selected by "expression" to be interpreted as:
aodv (Ad-hoc On-demand Distance Vector protocol), cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), and wb (distributed White Board).
-R Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not output replay prevention field. Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.
-y
--linktype=dataLinkType
Set the data link type
-Z
--relinquish-privileges=user
after opening the capture device or input savefile,
before opening savefiles for output,
change the user ID to user and the group ID to the primary group of user.
can be enabled by default at compile time.
-h Help and exit.
tcpdump version 4.3.0 -- Apple version 56
libpcap version 1.3.0 - Apple version 41
Usage: tcpdump [-aAbdDefhHgIJkKlLnNOpPqQ:RStuUvxX] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -j tstamptype ] [ -M secret ]
        [ -Q metadata-filter-expression ]
        [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
        [ -W filecount ] [ -y datalinktype ] [ -z command ]
        [ -Z user ] [ expression ]

expression

selects which packets will be dumped. Default: all
For the expression syntax, see pcap-filter.

Expression arguments can be passed as either a single argument or as multiple arguments.
if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.

EXAMPLES

packets arriving at or departing from sundown:
      tcpdump host sundown

traffic between helios and either hot or ace:
      tcpdump host helios and \( hot or ace \) # escaping parentheses

IP packets between ace and any host except helios:
      tcpdump ip host ace and not helios

traffic between local hosts and hosts at Berkeley:
      tcpdump net ucb-ether

ftp traffic through internet gateway sunup:
      (the expression is quoted to prevent the shell from interpreting the parentheses):
      tcpdump 'gateway sunup and (port ftp or ftp-data)'

traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this should never make it onto your local net).
     tcpdump ip and not net localnet

the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
     tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' # fails!

HTTP packets to & from port 80, only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.
     tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

IP packets longer than 576 bytes sent through gateway sunup:
      tcpdump 'gateway sunup and ip[2:2] > 576' # len

IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:
      tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' # BCST & muticast NOT sent via eth or multicast

all ICMP packets that are not echo requests/replies (i.e., not ping packets):
      tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' #ICMP not pings

Output format

Protocol dependent.

Link Level Headers

with -e the link level header is displayed.