User Tools

Site Tools




tcpdump uses packet filter syntax for filtering. For help see

man 7 pcap-filter

Port include

tcpdump -n -tttt -i rl0 dst port 221027

Host include

tcpdump -n -tttt -i rl0 host

SSH exclude

tcpdump -n -i rl0 'not port 22'

Dump full Packages for Wireshark

tcpdump -s 65535 -w /tmp/test.pcap

Filter IPv6 Network

tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'

Show IPsec packets

tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'

Dump for Wireshark with rotation

tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
  • -i lo
    • Listen on loopback interface.
  • -G $((10*60))
    • Rotate logs every 10 minutes.
  • -s 65535
    • Capture full package.
  • -w /tmp/test.%Y-%m-%dT%H:%M.pcap
    • Save dump to file. Ex. test.2015-08-11T12:16.pcap
  • -Z root
    • Run as root user. I had some permission problems with the default user (tcpdump)
apps/tcpdump.txt · Last modified: 2023-09-09 15:13 by Manuel Frei