NAME

SYNOPSIS

DESCRIPTION

-a

Attempt to convert network and broadcast addresses to names.

-c count

Exit after receiving count packets.

-D direction

Select packets flowing in the specified direction. Valid directions are: -in and -out. The default is to accept packets flowing in any direction.

-d

Dump the compiled packet-matching code in a human readable form to standard output and stop.

-dd

Dump packet-matching code as a C program fragment.

-ddd

Dump packet-matching code as decimal numbers preceded with a count.

-E Oo espalg: Oc espkey Try to decrypt RFC 2406 ESP (Encapsulating Security Payload) traffic using the specified hex key espkey. Supported algorithms for espalg are: -aes128, -aes128-hmac96, -blowfish, -blowfish-hmac96, -cast, -cast-hmac96, -des3, -des3-hmac96, -des and -des-hmac96. The algorithm defaults to -aes128-hmac96. This option should be used for debugging only, since the key will show up in ps(1) output.

-e

Print the link-level header on each dump line.

-F file

Use file as input for the filter expression. Any additional expressions given on the command line are ignored.

-f

Print “foreign” internet addresses numerically rather than symbolically. This option is intended to get around serious brain damage in Sun's yp server \(em usually it hangs forever translating non-local internet numbers.

-I

Print the interface on each dump line.

-i interface

Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured “up” interface (excluding loopback). Ties are broken by choosing the earliest match.

-L

List the supported data link types for the interface and exit.

-l

Make stdout line buffered. Useful if you want to see the data while capturing it. For example:

     # tcpdump -l | tee dat or      # tcpdump -l > dat & tail -f dat

-N

Do not print domain name qualification of host names. For example, if you specify this flag then tcpdump will print “nic” instead of “nic.ddn.mil”.

-n

Do not convert addresses (host addresses, port numbers, etc.) to names.

-O

Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.

-o

Print a guess of the possible operating system(s) of hosts that sent TCP SYN packets. See pf.os(5) for a description of the passive operating system fingerprints.

-p

Do not put the interface into promiscuous mode. The interface might be in promiscuous mode for some other reason; hence, -p cannot be used as an abbreviation for “ether host \&"{local-hw-addr}\&"” or “ether broadcast”.

-q

Quick (quiet?) output. Print less protocol information so output lines are shorter.

-r file

Read packets from a file which was created with the -w option. Standard input is used if file is "-".

-S

Print absolute, rather than relative, TCP sequence numbers.

-s snaplen

Analyze at most the first snaplen bytes of data from each packet rather than the default of 96. 96 bytes is adequate for IP, ICMP, TCP, and UDP, but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snaplen are indicated in the output with “[\*(Ba ]”, where proto is the name of the protocol level at which the truncation has occurred. Taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in.

-T type

Force packets selected by expression to be interpreted as the specified type. Currently known types are -vrrp (Virtual Router Redundancy protocol), -cnfp (Cisco NetFlow protocol), -rpc (Remote Procedure Call), -rtp (Real-Time Applications protocol), -rtcp (Real-Time Applications control protocol), -sack (RFC 2018 TCP Selective Acknowledgements Options), -tcp (Transmission Control Protocol), -vat (Visual Audio Tool), and -wb (distributed White Board).

-t

Do not print a timestamp on each dump line.

-tt

Print an unformatted timestamp on each dump line.

-ttt

Print day and month in timestamp.

-tttt

Print timestamp difference between packets.

-ttttt

Print timestamp difference since the first packet.

-v

(Slightly more) verbose output. For example, the time to live (TTL) and type of service (ToS) information in an IP packet are printed.

-vv

Even more verbose output. For example, additional fields are printed from NFS reply packets.

-w file

Write the raw packets to file rather than parsing and printing them out. They can be analyzed later with the -r option. Standard output is used if file is "-".

-X

Print each packet (minus its link-level header) in hex and ASCII. The smaller of the entire packet or snaplen bytes will be printed.

-x

Print each packet (minus its link-level header) in hex. The smaller of the entire packet or snaplen bytes will be printed.

-y datalinktype

Set the data link type to use while capturing to datalinktype. Commonly used types include -EN10MB, -IEEE802_11, and -IEEE802_11_RADIO. The choices applicable to a particular device can be listed using -L.

type

Specify which kind of address component the id name or number refers to. Possible types are -host, -net and -port. E.g., “host foo”, “net 128.3”, “port 20”. If there is no type qualifier, -host is assumed.

dir

Specify a particular transfer direction to and/or from id. Possible directions are -src, -dst, -srcor dst, -srcand dst, -addr1, -addr2, -addr3, and -addr4. E.g., “src foo”, “dst net 128.3”, “src or dst port ftp-data”. If there is no dir qualifier, -srcor dst is assumed. The -addr1, -addr2, -addr3, and -addr4 qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. For null link layers (i.e., point-to-point protocols such as SLIP (Serial Line Internet Protocol) or the pflog(4) header), the -inbound and -outbound qualifiers can be used to specify a desired direction.

proto

Restrict the match to a particular protocol. Possible protocols are: -ah, -arp, -atalk, -decnet, -esp, -ether, -fddi, -icmp, -icmp6, -igmp, -igrp, -ip, -ip6, -lat, -mopdl, -moprc, -pim, -rarp, -sca, -stp, -tcp, -udp, and -wlan. E.g., “ether src foo”, “arp net 128.3”, “tcp port 21”, “wlan addr1 0:2:3:4:5:6”. If there is no protocol qualifier, all protocols consistent with the type are assumed. E.g., “src foo” means “ (ip or arp or rarp) src foo ” (except the latter is not legal syntax); “net bar” means “ (ip or arp or rarp) net bar ”; and “port 53” means “ (TCP or UDP) port 53 ”.

-fddi is actually an alias for -ether; the parser treats them identically as meaning " the data link level used on the specified network interface ". FDDI (Fiber Distributed Data Interface) headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.

-dsthost host

True if the IP destination field of the packet is host, which may be either an address or a name.

-srchost host

True if the IP source field of the packet is host.

-hosthost

True if either the IP source or destination of the packet is host.

Any of the above host expressions can be prepended with the keywords, -ip, -arp, or -rarp as in:

     Cm ip host Ar host

which is equivalent to: -etherproto ip -andhost host

If host is a name with multiple IP addresses, each address will be checked for a match.

-etherdst ehost

True if the Ethernet destination address is ehost. ehost may be either a name from /etc/ethers or a number (see ethers(3) for a numeric format).

-ethersrc ehost

True if the Ethernet source address is ehost.

-etherhost ehost

True if either the Ethernet source or destination address is ehost.

-gatewayhost

True if the packet used host as a gateway; i.e., the Ethernet source or destination address was host but neither the IP source nor the IP destination was host. host must be a name and must be found in both /etc/hosts and /etc/ethers. An equivalent expression is -etherhost ehost -andnot host host

which can be used with either names or numbers for host.

-dstnet net

True if the IP destination address of the packet has a network number of net. net may be either a name from /etc/networks or a network number (see networks(5) for details).

-srcnet net

True if the IP source address of the packet has a network number of net.

-netnet

True if either the IP source or destination address of the packet has a network number of net.

-dstport port

True if the packet is IP/TCP or IP/UDP and has a destination port value of port. The port can be a number or name from services(5) (see tcp(4) and udp(4/)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked; e.g., “-dstport 513” will print both TCP/login traffic and UDP/who traffic, and “-dstport domain” will print both TCP/domain and UDP/domain traffic.

-srcport port

True if the packet has a source port value of port.

-portport

True if either the source or destination port of the packet is port.

Any of the above port expressions can be prepended with the keywords -tcp or -udp, as in:

     Cm tcp src port Ar port

which matches only TCP packets whose source port is port.

-lesslength

True if the packet has a length less than or equal to length. This is equivalent to:

     Cm len <= Ar length

-greaterlength

True if the packet has a length greater than or equal to length. This is equivalent to:

     Cm len >= Ar length

-ipproto proto

True if the packet is an IP packet (see ip(4)) of protocol type proto. proto can be a number or name from protocols(5), such as -icmp, -udp, or -tcp. These identifiers are also keywords and must be escaped using a backslash character (‘\e’).

-etherbroadcast

True if the packet is an Ethernet broadcast packet. The -ether keyword is optional.

-ipbroadcast

True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions and looks up the local subnet mask.

-ethermulticast

True if the packet is an Ethernet multicast packet. The -ether keyword is optional. This is shorthand for “ -ether ”.

-ipmulticast

True if the packet is an IP multicast packet.

-etherproto proto

True if the packet is of ether type proto. proto can be a number or one of the names -ip, -ip6, -arp, -rarp, -atalk, -atalkarp, -decnet, -decdts, -decdns, -lanbridge, -lat, -mopdl, -moprc, -pup, -sca, -sprite, -stp, -vexp, -vprod, or -xns. These identifiers are also keywords and must be escaped using a backslash character (‘\e’). In the case of FDDI (e.g., “-fddiprotocol arp)”, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI header. tcpdump assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in so-called SNAP format.

-decnetsrc host

True if the DECNET source address is host, which may be an address of the form “10.123”, or a DECNET host name. DECNET host name support is only available on systems that are configured to run DECNET.

-decnetdst host

True if the DECNET destination address is host.

-decnethost host

True if either the DECNET source or destination address is host.

-ifnameinterface

True if the packet was logged as coming from the specified interface (applies only to packets logged by pf(4/)).

-oninterface

Synonymous with the ifname modifier.

-rnrnum

True if the packet was logged as matching the specified PF rule number in the main ruleset (applies only to packets logged by pf(4/)).

-rulenumnum

Synonymous with the rnr modifier.

-reasoncode

True if the packet was logged with the specified PF reason code. The known codes are: match, bad-offset, fragment, bad-timestamp, short, normalize, and memory (applies only to packets logged by pf(4/)).

-rsetname

True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by pf(4/)).

-rulesetname

Synonymous with the rset modifier.

-srnrnum

True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by pf(4/)).

-subrulenumnum

Synonymous with the srnr modifier.

-actionact

True if PF took the specified action when the packet was logged. Valid actions are: pass, block, nat, rdr, binat and scrub (applies only to packets logged by pf(4/)).

-wlanaddr1 ehost

True if the first IEEE 802.11 address is ehost.

-wlanaddr2 ehost

True if the second IEEE 802.11 address is ehost.

-wlanaddr3 ehost

True if the third IEEE 802.11 address is ehost.

-wlanaddr4 ehost

True if the fourth IEEE 802.11 address is ehost. The fourth address field is only used for WDS (Wireless Distribution System) frames.

-wlanhost ehost

True if either the first, second, third, or fourth IEEE 802.11 address is ehost.

-typetype

True if the IEEE 802.11 frame type matches the specified type. Valid types are: data, mgt, ctl, or a numeric value.

-subtypesubtype

True if the IEEE 802.11 frame subtype matches the specified subtype. Valid subtypes are: assocreq, assocresp, reassocreq, reassocresp, probereq, proberesp, beacon, atim, disassoc, auth, deauth, data, or a numeric value.

-dirdir

True if the IEEE 802.11 frame direction matches the specified dir. Valid directions are: nods, tods, fromds, dstods, or a numeric value.

-atalk, -ip, -ip6, -arp, -decnet, -lat, -moprc, -mopdl, -rarp, -sca Abbreviations for: -etherproto p where p is one of the above protocols. tcpdump does not currently know how to parse -lat, -moprc, or -mopdl.

-ah, -esp, -icmp, -icmp6, -igmp, -igrp, -pim, -tcp, -udp Abbreviations for: -ipproto p where p is one of the above protocols.

exprrelop expr

True if the relation holds, where relop is one of ">", "<", ">=", "<=", "=", "!=", and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators .Pf ( Ns Ql + , "-", "*", "/", "&", "|")), a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: .Sm off proto[expr: size] .Sm on

proto is one of -ether, -fddi, -ip, -arp, -rarp, -tcp, -udp, or -icmp, and indicates the protocol layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword -len, gives the length of the packet.

For example, “-ether” catches all multicast traffic. The expression “-ip” catches all IP packets with options. The expression “-ip” catches only unfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the -tcp and -udp index operations. For instance, “-tcp” always means the first byte of the TCP header, and never means the first byte of an intervening fragment.

EXAMPLES

# tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'

# tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

OUTPUT FORMAT

Link Level Headers

ARP/RARP Packets

arp who-has csam tell rtsg
arp reply csam is-at CSAM

arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4

RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM

TCP Packets