dump traffic on a network

tcpdump [ -AbdDefhgHIJKlLnNOpPqRStuUvxX ]
[ -B buffer_size ]
-c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
[ -m module ] [ -M secret ]
[ -n ] [ -N ]
[ -w file ][ -r file ]
[ -s snaplen ] [ -T type ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postRotate-command ] [ -Z user ]
[ -Q packet-metadata-filter ]
[ expression]

from man page for version 4.3.0 -- Apple version 56,
libpcap version 1.3.0 - Apple version 41
see -h
The latest release as of 11/05/16 from is Version: 4.8.1 / 1.8.1,
the documentation is current as of September 2015
Severly terseified by DG12
see the man page for the true(?) story

Outputs packets on a network interface that match the boolean expression.

-w, writes the packet data to a file for later analysis,
-r, reads from a saved file .
In all cases, only packets that match expression will be processed.

Continues until it is interrupted by a SIGINT signal (generated, by typing the interrupt character, typically ^C) or
a SIGTERM signal (typically generated with the kill command) or
Using -c the specified number of packets have been processed.

On SIGINFO ( typing status character, frequently ^T, set via stty status ^T) reports:

   packets captured
   packets received by filter (depends on the OS and it's configuration)
   packets dropped by kernel (due to a lack of buffer space,
     by the packet capture mechanism in the OS

Reading packets from a network interface requires privileges, from a saved packet file doesn't .


Verify syslog entries are being forwarded.
Use sudo tcpdump -i en1 host and udp port 514 #

General TCP monitor (without header display, removing multiple "dots" and activity to google (
sudo tcpdump -A -q tcp |sed "s/\.\.//g ; /"


Display the interfaces which tcpdump can capture.
name or the number can be supplied to -i


Darwin systems: pseudo set of interfaces (excludes loopback and tunnel).
Other OSes, searches for the lowest numbered, configured, up interface (excluding loopback).

pktap followed by a list of interfaces captures packet from multiple interfaces.
For example, to capture on the loopback and en0 :

tcpdump -i pktap,lo0,en0

all or pktap,all includes loopback and tunnel .

pktap pseudo interface provides for packet metadata using the default PKTAP data link type and files are written in the Pcap-ng file format.
The RAW data link type must be used to use the pcap-savefile format with a ptkap

iptap captures packets at the IP layer as they are passed to the I/O routines of the IP protocol handlers.

any on Linux captures packets from all interfaces.

-l Make stdout line buffered. helpful to view output while capturing it to a file.

tcpdump -l | tee dat # have data from stdout also go to dat
tcpdump -l > dat & tail -f dat # send output to dat and have tail show it

-F ffile Filters are in ffile
-Q filter is based on packet metadata information like interface or process name.
-c count Exit after receiving count packets.
-w nn nn max number of files, creating a 'rotating' buffer.
-w ofile
Write raw packets to ofile, to be processed with -r. stdout if ofile is -.
Output is buffered, program reading from the pipe will be delayed. see -U
   -C MB Close ofile when it reaches MB and open a new one.
   -G secs rotates ofile every secs. of must include a time format as defined by strftime
Example: %y%m%d.%H%M%S creates files like 170720.185958
If no time format is specified, each new file will overwrite the previous saving only the last group of packets.
       -z command with -C or -G spawn command of after each rotation.
Example, -z gzip : Run in parallel to capture

To use a command that takes flags or different arguments, write a script that will take of as the only argument, make the flags & arguments arrangements and execute the command.
Example 'ls -l' is not acceptable

Set the operating system capture buffer size
802.11 Wi-Fi: Put the interface in monitor mode;
the adapter might disassociate from the network
Don't put the interface into promiscuous mode, it might already be in promiscuous mode
-p cannot be used as an abbreviation for ether host {local-hw-addr} or ether broadcast.

If -I isn't specified, only those link-layer types available when not in monitor mode will be shown.
If -I is     specified, only those link-layer types available when      in monitor mode will be shown.

Affects output of -L (list link types).

after opening the capture device or input savefile,
before opening savefiles for output,
change the user ID to user and the group ID to the primary group of user.
can be enabled by default at compile time.
-r fileRead packets from file (created with -w ). Stdin if -.
-V ifRead a list of filenames from file. Standard input if -.
options affecting output format
-k fmt metadata displayed as :
                     I     interface name (or interface ID)
                     N     process name          P     process ID
                     S     service class         D     direction
                     C     comment
Default: all metadata information is output.
-f foreign ( outside local network as per netmask) addresses displayed numerically
-n no DNS lookup, i.e. Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-N Don't output domain name qualification of host names. Example nic instead of
output the packet number at the beginning of each line.
-S Sequence numbers are absolute, rather than relative
timestamp formats
-ttt delta between current and previous line
00:00:00.000000 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
00:00:01.715637 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
00:00:02.723892 IP smackerpro.germans.50015 > UDP, length 16 
                 i.e. nearly 3 second delay
00:00:00.000170 IP smackerpro.germans.63948 > UDP, length 16
00:00:01.553977 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
-t Don't output a timestamp
-tttt proceeded by date
2015-08-24 20:38:18.302298 IP6 kitchen.local.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
2015-08-24 20:38:18.488840 ARP, Request who-has rtr.germans (00:7f:28:cc:a9:f1 (oui Unknown)) 
                                tell smackerpro.germans, length 28
2015-08-24 20:38:18.493460 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
2015-08-24 20:38:18.493479 IP smackerpro.germans.61993 > rtr.germans.domain: 43740+ 
                                PTR? … (90)
2015-08-24 20:38:18.515142 IP rtr.germans.domain > smackerpro.germans.61993: 43740 NXDomain 0/1/0 (160)
-ttttt delta between current and first line
00:00:00.000000 IP smackerpro.germans.58805 > UDP, length 16
00:00:00.000458 IP smackerpro.germans.55641 > UDP, length 16
00:00:00.943611 IP smackerpro.germans.64954 > rtr.germans.domain: 36632+ PTR?   
00:00:00.970220 IP rtr.germans.domain > smackerpro.germans.64954: 36632 NXDomain 0/0/0 (44)
-tt unformatted timestamp
1440463224.469005 IP smackerpro.germans.59385 > UDP, length 16
1440463224.469114 IP smackerpro.germans.57110 > UDP, length 16
1440463224.565954 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
1440463224.972287 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
1440463224.973449 IP6 kitchen.local.59525 > ff02::1:3.llmnr: UDP, length 22
20:43:04.598040 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
-t n alternate form :
                     0     time
                     1     no time
                     2     unformatted timestamp
                     3     microseconds since previous line
                     4     date and time
                     5     microseconds since first line
May be specified more than once to display more than one
-j tstamp_type Set the time stamp type, names are given in pcap-tstamptype(7); not all the types listed there will necessarily be valid for any given interface.
-J List time stamp types. (Time stamp type cannot be set for pktap
-q Quick (quiet?) less protocol information
-v verbose (slightly more) .
time to live, identification, total length and options in an IP packet.
-v -v acknowledgement packets and additional header information is output, such as the the RX call ID, call number, sequence number, serial number, and the RX packet flags.
The MTU negotiation information is also output from RX ack packets.

Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

-vvvery verbose . For example, additional fields are output from NFS reply packets, and SMB packets are fully decoded.
-vvv Even more verbose . For example, telnet SB ... SE options are output in full. With -X Telnet options are output in hex as well. -v -v -v the security index and service id are output.

-A ASCII. data(no link level header) (of course if compressed or https nothing nice)
00:00:00.000922 IP smacpro.germans.56365 > 
            Flags [P.], seq 1:703, ack 1, win 4117, options [nop,nop,TS val 220648777 ecr 2052334652], length 702: 
            HTTP: GET /docs/tcpdump.1.html HTTP/1.1
.&.IzT$<GET /docs/tcpdump.1.html HTTP/1.1
Accept-Encoding: gzip, deflate
Cookie: __qca=P0-472395794-1494962774467; __utma=19090107.403546298.1494962774.1494962774.1494962774.1; 
        __utmz=19090107.1494962774.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); _ga=GA1.2.854528007.1493235425; 
            C=1013; L=1496612052052; U=1491870498463; drdate=151025; meeting=120921
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 
                        (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Accept-Language: en-us
DNT: 1
Cache-Control: max-age=0

00:00:00.077823 IP > smacpro.germans.56365: 
            Flags [.], ack 703, win 125, options [nop,nop,TS val 2052334731 ecr 220648777], length 0
00:00:00.057503 IP > smacpro.germans.56365: 
            Flags [.], seq 1:1449, ack 703, win 125, options [nop,nop,TS val 2052334787 ecr 220648777], length 1448: 
    HTTP: HTTP/1.1 200 OK
zT$..&.IHTTP/1.1 200 OK
Date: Sun, 04 Jun 2017 22:08:40 GMT
Server: Apache
Last-Modified: Sun, 04 Jun 2017 21:57:40 GMT
Accept-Ranges: bytes
Content-Length: 51124
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

<!doctype html>
-x heX headers and data (no link level header).
-X hex headers and ASCII data (no link level header)
00:00:00.000922 IP smacpro.germans.56365 > 
      Flags [P.], seq 1:703, ack 1, win 4117, options [nop,nop,TS val 220648777 ecr 2052334652], length 702: 
      HTTP: GET /docs/tcpdump.1.html HTTP/1.1
    0x0000:  4500 02f2 d4b7 4000 4006 7c03 c0a8 0102  E.....@.@.|.....
    0x0010:  ae7f 7721 dc2d 0050 aa8f 6084 94d1 7b35  ..w!.-.P..`...{5
    0x0020:  8018 1015 2fad 0000 0101 080a 0d26 d549  ..../........&.I
    0x0030:  7a54 243c 4745 5420 2f64 6f63 732f 7463  zT$<GET./docs/tci…
-xx hex headers, link level header & hexdata
00:00:00.000922 IP smacpro.germans.56365 > 
                Flags [P.], seq 1:703, ack 1, win 4117, options [nop,nop,TS val 220648777 ecr 2052334652], length 702: 
    HTTP: GET /docs/tcpdump.1.html HTTP/1.1
    0x0000:  007f 28cc a9f1 4c32 7597 3bad 0800 4500
    0x0010:  02f2 d4b7 4000 4006 7c03 c0a8 0102 ae7f
    0x0020:  7721 dc2d 0050 aa8f 6084 94d1 7b35 8018
    0x0030:  1015 2fad 0000 0101 080a 0d26 d549 7a54
    0x0040:  243c 4745 5420 2f64 6f63 732f 7463 7064
    0x0050:  756d 702e 312e 6874 6d6c 2048 5454 502f
-XX hex headers, link level header & ASCII data (of course if compressed or https nothing nice). (big)
    00:00:00.000922 IP smacpro.germans.56365 > 
    Flags [P.], seq 1:703, ack 1, win 4117, options [nop,nop,TS val 220648777 ecr 2052334652], length 702: 
    HTTP: GET /docs/tcpdump.1.html HTTP/1.1
    0x0000:  007f 28cc a9f1 4c32 7597 3bad 0800 4500  ..(...L2u.;...E.
    0x0010:  02f2 d4b7 4000 4006 7c03 c0a8 0102 ae7f  ....@.@.|.......
    0x0020:  7721 dc2d 0050 aa8f 6084 94d1 7b35 8018  w!.-.P..`...{5..
    0x0030:  1015 2fad 0000 0101 080a 0d26 d549 7a54  ../........&.IzT
    0x0040:  243c 4745 5420 2f64 6f63 732f 7463 7064  $<GET./docs/tcpd
    0x0050:  756d 702e 312e 6874 6d6c 2048 5454 502f  ump.1.html.HTTP/
    0x0060:  312e 310d 0a48 6f73 743a 2072 6561 6c2d  1.1..Host:.real-
    0x0070:  776f 726c 642d 7379 7374 656d 732e 636f
    0x0080:  6d0d 0a41 6363 6570 742d 456e 636f 6469  m..Accept-Encodi
    0x0090:  6e67 3a20 677a 6970 2c20 6465 666c 6174  ng:.gzip,.deflat
    0x00a0:  650d 0a43 6f6f 6b69 653a 205f 5f71 6361  e..Cookie:.__qca
    0x00b0:  3d50 302d 3437 3233 3935 3739 342d 3134  =P0-472395794-14 … 
    0x01b0:  3b20 6d65 6574 696e 673d 3132 3039 3231  ;.meeting=120921
    0x01c0:  0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65
    0x01d0:  6570 2d61 6c69 7665 0d0a 5570 6772 6164  ep-alive..Upgrad
    0x01e0:  652d 496e 7365 6375 7265 2d52 6571 7565  e-Insecure-Reque
    0x01f0:  7374 733a 2031 0d0a 4163 6365 7074 3a20  sts:.1..Accept:.
    0x0200:  7465 7874 2f68 746d 6c2c 6170 706c 6963  text/html,applic
    0x0210:  6174 696f 6e2f 7868 746d 6c2b 786d 6c2c  ation/xhtml+xml,
    0x0220:  6170 706c 6963 6174 696f 6e2f 786d 6c3b  application/xml;
    0x0230:  713d 302e 392c 2a2f 2a3b 713d 302e 380d  q=0.9,*/*;q=0.8.
    0x0240:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
    0x0250:  696c 6c61 2f35 2e30 2028 4d61 6369 6e74  illa/5.0.(Macint
    0x0260:  6f73 683b 2049 6e74 656c 204d 6163 204f  osh;.Intel.Mac.O
    0x0270:  5320 5820 3130 5f31 325f 3329 2041 7070  S.X.10_12_3).App
    0x0280:  6c65 5765 624b 6974 2f36 3032 2e34 2e38  leWebKit/602.4.8
    0x0290:  2028 4b48 544d 4c2c 206c 696b 6520 4765  .(KHTML,.like.Ge
    0x02a0:  636b 6f29 2056 6572 7369 6f6e 2f31 302e  cko).Version/10.
    0x02b0:  302e 3320 5361 6661 7269 2f36 3032 2e34  0.3.Safari/602.4
    0x02c0:  2e38 0d0a 4163 6365 7074 2d4c 616e 6775  .8..Accept-Langu
    0x02d0:  6167 653a 2065 6e2d 7573 0d0a 444e 543a  age:.en-us..DNT:
    0x02e0:  2031 0d0a 4361 6368 652d 436f 6e74 726f  .1..Cache-Contro
    0x02f0:  6c3a 206d 6178 2d61 6765 3d30 0d0a 0d0a  l:.max-age=0....

-e link-level header on each dump line.
-s snaplen select only snaplen bytes from each packet.
Truncation is indicated with [|proto],
  where proto is the name of the protocol level at which the truncation occurred.
Processing more data increases the amount of time it takes to process, decreases the amount of buffering and may cause packets to be lost.
Limit snaplen to the smallest number that will capture the protocol information of interest .
0 sets it to the default of 65,535.(too big)
 tcpdump -s170
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 170 bytes
21:11:25.505529 IP > UDP, length 12  who is that, dynamically allocated
21:11:27.250939 IP smackerpro.germans.58906 > UDP, length 16
21:11:27.251041 IP smackerpro.germans.53293 > UDP, length 16
21:11:27.452579 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
21:11:28.480467 IP > broadcasthost.21302: UDP, length 680
21:11:30.011403 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.012635 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.013558 ARP, Request who-has rtr.germans tell kitchen.germans, length 46
21:11:30.014727 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.015971 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.017047 IP6 kitchen.local.54991 > ff02::1:3.llmnr: UDP, length 25
21:11:30.018023 IP kitchen.germans.51970 > UDP, length 25
21:11:30.113817 IP6 kitchen.local > ff02::16: HBH [|icmp6]
21:11:30.114988 IP6 kitchen.local.54991 > ff02::1:3.llmnr: UDP, length 25
21:11:30.115981 IP kitchen.germans.51970 > UDP, length 25
21:11:30.319288 IP kitchen.germans.57004 > UDP, length 133
21:11:30.421988 IP6 kitchen.local.57002 > ff02::c.ssdp: UDP, length 146
21:11:30.740267 ARP, Request who-has rtr.germans (00:7f:28:cc:a9:f1 (oui Unknown)) 
                                        tell smackerpro.germans, length 28
21:11:30.744062 ARP, Reply rtr.germans is-at 00:7f:28:cc:a9:f1 (oui Unknown), length 28
21:11:30.744082 IP smackerpro.germans.54379 > rtr.germans.domain: 9601+[|domain]
21:11:30.770767 IP rtr.germans.domain > smackerpro.germans.54379: 9601 NXDomain[|domain]
21:11:32.471347 IP > smackerpro.germans.54464: 
            Flags [P.], seq 64:128, ack 33, win 340, 
                                                    options [nop,nop,TS[|tcp]>
21:11:32.471401 IP smackerpro.germans.54464 > 
            Flags [.], ack 128, win 8188, 
                                                    options [nop,nop,TS[|tcp]>
21:11:32.471516 IP smackerpro.germans.54464 > 
            Flags [P.], seq 33:65, ack 128, win 8192, 
                                                    options [nop,nop,TS[|tcp]>
21:11:32.555693 IP > smackerpro.germans.54464: 
            Flags [.], ack 65, win 340, 
                                                    options [nop,nop,TS[|tcp]>
-U Unbuffered output.
When packet analysis is complete, it will be written to the output.
Default: wait until the output buffer fills.

-g Do not insert line break after IP header in verbose mode for easier parsing.
-P Use the pcap-ng file format.
-H Attempt to detect 802.11s mesh headers.
-b BGP packets: the AS number in ASDOT notation rather than ASPLAIN notation.
List data link types, in the specified mode, and exit.
Data link types for pktap (use -y to set):
RAW (Raw IP)
PKTAP (Packet Tap)
-E decrypt packets. Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi.
This combination may be repeated with comma or newline separation.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. default des-cbc.
secret is the ASCII text for ESP secret key. preceed value with 0x for hex.
By presenting IPsec secret key onto command line it is visible to others, via ps etc.
-M Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
Don't verify IP, TCP, or UDP checksums.
(for interfaces that create checksum via hardware; otherwise, outgoing TCP checksums will be flagged as bad.)
-u output undecoded NFS handles.
-m moduleLoad SMI MIB module definitions from file module. can be used several times to load several MIB modules
-d Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd Dump packet-matching code as a C program fragment.
-ddd Dump packet-matching code as decimal numbers (preceded with a count).
-T ttt Force packets selected by "expression" to be interpreted as:
aodv (Ad-hoc On-demand Distance Vector protocol),
cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call),
rtp (Real-Time Applications protocol),
rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol),
tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), and
wb (distributed White Board).
-R Assume ESP/AH packets to be based on old specification
Set the data link type
-h Help and of 6/4/17
tcpdump version 4.7.3 -- Apple version 79 
libpcap version 1.7.4 - Apple version 67
Usage: tcpdump [-aAbdDefhHgIJkKlLnNOpPqQ:RStuUvxX] [ -B size ] [ -c count ]
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -j tstamptype ] [ -M secret ]
        [ -Q metadata-filter-expression ]
        [ -r file ] [ -s snaplen ] [ --immediate-mode ] [ -T type ] [ --version ]  [ -V file ]
        [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
        [ -Z user ] [ expression ]


selects which packets will be dumped. Default: all
For the expression syntax, see pcap-filter.

Expression arguments can be passed as either a single argument or as multiple arguments.
if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.


packets arriving at or departing from sundown:
      tcpdump host sundown

traffic between helios and either hot or ace:
      tcpdump host helios and \( hot or ace \) # escaping parentheses

IP packets between ace and any host except helios:
      tcpdump ip host ace and not helios

traffic between local hosts and hosts at Berkeley:
      tcpdump net ucb-ether

ftp traffic through internet gateway sunup:
      (the expression is quoted to prevent the shell from interpreting the parentheses):
      tcpdump 'gateway sunup and (port ftp or ftp-data)'

traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this should never make it onto your local net).
     tcpdump ip and not net localnet

the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
     tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' # fails!

HTTP packets to & from port 80, only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.
     tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

IP packets longer than 576 bytes sent through gateway sunup:
      tcpdump 'gateway sunup and ip[2:2] > 576' # len

IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:
      tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' # BCST & muticast NOT sent via eth or multicast

all ICMP packets that are not echo requests/replies (i.e., not ping packets):
      tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' #ICMP not pings

Output format

Protocol dependent.

Link Level Headers

with -e the link level header is displayed.