One of the early diagnostic tools for TCP/IP that was written by Van Jacobson, Craig Leres, and Steven McCanne. Tcpdump can be used to capture and decode packets in real time, or to capture packets to files (in "libpcap" format, see below), and analyze (decode) them later.
There are now more elaborate and, in some ways, user-friendly packet capturing programs, such as Wireshark (formerly called Ethereal), but
tcpdump is widely available, widely used, so it is very useful to know how to use it.
Tcpdump/libpcap is still actively being maintained, although not by its original authors.
Libpcap is a library that is used by
tcpdump , and also names a file format for packet traces. This file format - usually used in files with the extension
.pcap - is widely supported by packet capture and analysis tools.
Some useful options to
-s snaplencapture snaplen bytes of each frame. By default,
tcpdumpcaptures only the first 68 bytes, which is sufficient to capture IP/UDP/TCP/ICMP headers, but usually not payload or higher-level protocols. If you are interested in more than just headers, use
-s 0to capture packets without truncation.
-r filenameread from an previously created capture file (see =-w=)
-w filenamedump to a file instead of analyzing on-the-fly
-i interfacecapture on an interface other than the default (first "up" non-loopback interface). Under Linux,
-i anycan be used to capture on all interfaces, albeit with some restrictions.
-c countstop the capture after count packets
-ndon't resolve addresses, port numbers, etc. to symbolic names - this avoids additional DNS traffic when analyzing a live capture.
-vvmore verbose output
-vvveven more verbose output
Also, a pflang expression can be appended to the command so as to filter the captured packets. An expression is made up of one or more of "type", "direction" and "protocol".
- type Can be
hostis presumed unless otherwise speciified
- dir Can be
src or dstor
src and dst
- proto (for protocol) Common types are
arp... If none is specifiied then all protocols for which the value is valid are considered.
dst host <address>
src host <address>
udp dst port <number>
host <host> and not port ftp and not port ftp-data
Capture a single (
-c 1=) =udp packet to file
This produces a binary file containing the captured packet as well as a small file header and a timestamp:
Analyze the contents of the previously created capture file:
Display the same capture file in verbose mode:
More examples with some advanced
tcpdump use cases.
- tcpdump/libpcap Web site - http://www.tcpdump.org/
- 25 Years of Packet Tracing (video), V. Jacobson, Keynote to June 2010 Sharkfest. Van explains why he started developing packet tracing software in 1985.
- tcpdump is amazing, Julia Evans, blog post, March 2016. Nice introduction to practical use of tcpdump and Wireshark
-- Main.SimonLeinen - 2006-03-04 - 2016-03-17