Skip to content

tcpdump

Network sniffing tool.

Syntax Examples

Capture packets to and from an IP address

Captures all data that includes 1.2.3.4 as the source or destination address, but no other traffic.

tcpdump host 1.2.3.4

Capture traffic that contains a given mac address

writes capfile.cap containing all traffic to or from the specified mac address on the network attached to eth1

tcpdump -w capfile.cap -i eth1 ether host 00:03:fa:46:2c:08

Filter packets from an existing capture

Filters port 53 packets out of the old capfile into the new

tcpdump -r oldcapfile.cap -w newcapfile.cap port 53

Capture all pop3 traffic and all traffic from a particular host

Captures all pop3 traffic and all traffic to or from the specified host on the first interface of a Mac OS X computer

tcpdump -w foo.cap -i en0 ether host 00:03:9a:28:44:01 or port 110

Capture all traffic not a mac address

Captures all traffic not from the host 00:1b:63:ce:83:2e, useful for filtering out your own traffic.

tcpdump -i en1 not ether src 00:1b:63:ce:83:2e

Capture LLDP traffic

This matches 2 bytes starting at the 12th byte against 88cc

tcpdump -v -s 1500 -c 1  '(ether[12:2]=0x88cc)'

Capture SYN packets

tcpdump -n 'tcp[13] & 2!=0'

Capture SYN/ACK packets

tcpdump -n 'tcp[13]=18'

Or another way

tcpdump 'tcp[tcpflags] && tcp-syn != 0'

Or capture all SYN packets going only to two ethernet destinations:

tcpdump 'tcp[13] & 2!=0 && (ether dst 00:22:64:f4:d0:70 or ether dst 00:22:64:f4:d0:6e)'

Write capture to file and replay it at the same time

sudo tcpdump -n 'host 216.200.102.84' -s 1500 -l -w - | tee logcopy.pcap | tcpdump -r -

Write a circular buffer of traffic

This will write 5 files 1 mb each and loop through them as the destination for writing traffic. That is, the filenames do not indicate chronology. The files will be named foo.cap[0-4]

sudo tcpdump -C 1 -W 5 -w foo.cap

Show how many bytes were captured in a cap file

This prints out some stats about captured packets, then adds up all the bytes. The size is from layer 3 up, so it excludes ethernet frame data.

tcpdump -q -n -r hillary-clintons-email.cap | awk '{sum+=$NF} END {print sum}'

This is limited to 192.168.1 matches

while true ; do
  date '+%F %T%z'
  sudo timeout 5 tcpdump -n 2>/dev/null |
  awk '$3 ~ /10.8/ {
    print gensub(/([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*)(\.[0-9]*)?/, "ip address: \\1", "g", $3) ;
  }' |
  sort -t. -k4n |
  uniq -c
done

You can reassemble these files chronologically with mergecap -w merged.cap foo.cap*

Show WPA 4-way handshakes

tcpdump -n -i en0 "ether proto 0x888e"