Skip to content

Instantly share code, notes, and snippets.

@jimyang2008

jimyang2008/tcpdump.md

Last active April 15, 2019 03:12
Show Gist options
  • Save jimyang2008/98ec9305546dade21fdd927204f4ab68 to your computer and use it in GitHub Desktop.
Save jimyang2008/98ec9305546dade21fdd927204f4ab68 to your computer and use it in GitHub Desktop.
Download ZIP
TCPDUMP reference
Raw
tcpdump.md

Overview

tcpdump

  • Is a packet content inspection tool
  • Does packet filtering by boolean expression

For expression syntax, refere to pcap-filter(7)

Syntax

  • Tool syntax
    tcpdump [<options>] <expression>
    <expression> := <primitive> [ {and|or|not} <primitive ] ...
    <primitive> := <qualifier> [qualifier ...] <id>
  • Common options
    • -n : NO conversion of hostname
    • -nn : NO conversion of protocol and port
    • -t : NO timestamp
    • -tt : timestamp in seconds
    • -ttt : delta in micro-second between current and previous line
    • -tttt : timestamp in hours,minutes,seconds,fraction of a second since mignight
    • -ttttt : delta in micro-second between curent and first line

Syntax components

Primitive

Qualifier

  • type : host x |net #.#.# |port ##|portrange ##-## , host by default.
  • dir : src|dst|src or dst| src and dst|ra|ta|addr1~4, src or dst by default.
  • proto : ether|fddi|tr|wlan|ip|ip6|arp|rarp|decnet|tcp|udp

Examples

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment