jimyang2008/tcpdump.md

Last active April 15, 2019 03:12

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/jimyang2008/98ec9305546dade21fdd927204f4ab68.js"></script>
Save jimyang2008/98ec9305546dade21fdd927204f4ab68 to your computer and use it in GitHub Desktop.

Download ZIP

TCPDUMP reference

Raw

Overview

tcpdump

Is a packet content inspection tool
Does packet filtering by boolean expression

For expression syntax, refere to pcap-filter(7)

Syntax

Tool syntax

    tcpdump [<options>] <expression>
    <expression> := <primitive> [ {and|or|not} <primitive ] ...
    <primitive> := <qualifier> [qualifier ...] <id>

Common options
- -n : NO conversion of hostname
- -nn : NO conversion of protocol and port
- -t : NO timestamp
- -tt : timestamp in seconds
- -ttt : delta in micro-second between current and previous line
- -tttt : timestamp in hours,minutes,seconds,fraction of a second since mignight
- -ttttt : delta in micro-second between curent and first line

Syntax components

Primitive

Qualifier

type : host x |net #.#.# |port ##|portrange ##-## , host by default.
dir : src|dst|src or dst| src and dst|ra|ta|addr1~4, src or dst by default.
proto : ether|fddi|tr|wlan|ip|ip6|arp|rarp|decnet|tcp|udp

Examples

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment