tcpdump

IO

List interfaces.

-D

Capture.

  
-i interface
-i interface -w outfile

Read from file.

  
-r infile

# read only N packets
-r infile -c N

Output Format

Hex and ascii.

  
# hex only
-xx

# hex and ascii
-XX

Frame number.

  
--number
-#

Link-level header.

-e

Time.

  
-ttt    # delta between frames
-tttt   # date
-ttttt  # delta since frame 1

Redirect Output

Redirect to stdout.

  
# flush on end of line  
-l

# flush on end of packet
- U

grep & awk.

  
tcpdump -i interface -l | grep --line-buffered expr
tcpdump -i interface -l | grep --line-buffered expr | awk '{print $3}'
tcpdump -i interface -l | grep --line-buffered expr | awk '{print $3; fflush()}' | python3 decode.py

Filter Expression

Expression syntax.

  
man pcap-filter

Use expression.

  
tcpdump -r infile 'expr_string'
tcpdump -r infile -F expr_file

Offset.

  
'ether[0x30] == 0x63'
'ether[0x30:2] == 0x6368'

Length.

  
'len == 58'
'len != 58'

Hex Format

  
         0    2    4    6    8    A    C    E    
0x0000:  0001 0203 0405 0607 0809 0a0b 0c0d 0e0f
0x0010:  1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
0x0020:  2021 2223 2425 2627 2829 2a2b 2c2d 2e2f
0x0030:  3031 3233 3435 3637 3839 3a3b 3c3d 3e3f