tcpdump parameters

tcpdump is a packet capture tool that runs on the command line. It allows users to intercept and display TCP/IP and other data packets sent or received over a network connection to the computer. tcpdump is suitable for

most Unix-like operating systems (such as linux, BSD, etc.). Unix-like tcpdump needs to use libpcap, a library that captures data like WinPcap under Windows.

Before learning tcpdump, it is best to have a certain understanding of basic network network knowledge.

The general form of the tcpdump command format and common parameters of Tcpdump

is as follows:

Example: tcpdump -i eth0 'port 1111' -X -c 3

-X tells the tcpdump command that the protocol header and packet content need to be displayed as they are (tcpdump will display the contents of the protocol in 16 display in hexadecimal and ASCII), which is an absolute weapon in protocol analysis.


tcpdump uses the command line mode, and its command format is:

　　tcpdump [-adeflnNOpqStvx] [-c number] [-F filename]

　　　　　　　　　　[-i network interface] [-r filename] [-s snaplen]

                                       [-T type] [-w filename] [expression]

tcpdump options description

　　　-a convert network addresses and broadcast addresses to names;

　　　-d give the code for matching packets in human-readable assembly format;

　　　-dd will match packets The code is given in the form of a C language program segment;

　　　-ddd gives the code of the matching packet in decimal form;

　　　-e prints the header information of the data link layer on the output line, including the source mac and destination mac, and the protocol of the network layer;

　　　-f converts the external Internet The address is printed out in the form of a number;

　　　-l makes the standard output into a buffered line form;

　　　-n specifies that each domain name in the monitored packet is converted into an IP address and displayed, and the network address is not converted into a name;

     -nn: Specifies that the domain name in each monitored packet is converted to IP, and the port is converted from the application name to the port number to display

　　　-t and no timestamp is printed on each line of output;

　　　-v outputs a slightly more detailed information, such as in ip Packets can include ttl and service type information;

　　　-vv output detailed packet information;

　　　-c tcpdump stops after receiving the specified number of packets;

　　　-F reads expressions from the specified file, ignoring Other expressions;

　　　-i specifies the listening network interface;

      -p: Set the network card to non-promiscuous mode, which cannot be used with host or broadcast

　　　-r to read packets from the specified file (these packets are usually generated by the -w option );

　　　-w directly writes the packet to the file without analyzing and printing it out;

      -s snaplen snaplen indicates the number of bytes intercepted from a packet. 0 means that the packet is not truncated, and the complete data packet is captured. By default, tcpdump only displays some data packets, the default is 68 bytes.

　　　-T directly interprets the monitored packets as the specified type of packets. Common types are rpc (remote procedure call) and snmp (simple network management protocol;)

      -X tells the tcpdump command that both the protocol header and the packet content need to be It is displayed as it is (tcpdump will display it in hexadecimal and ASCII form), which is an absolute weapon for protocol analysis.


1. Grab the packet of the loopback network port: tcpdump -i lo

2. Prevent packet truncation: tcpdump -s0

3. Display the host and port in numbers: tcpdump -n