See tcpdump(8).
The ‘-n’ flag skips name lookups of IP addresses.
Inspect all traffic from an interface:
# tcpdump -vv -i eth0
Capture only n packets:
# tcpdump -vv -c 10 -i eth0
Show interaces available for capture (note lo):
# tcpdump -D
Save to a .pcap file:
# tcpdump -w 001.eth0.pcap -i eth0
Read a .pcap file:
# tcpdump -vvv -r 001.eth0.pcap
Wireshark can also read .pcap files.
Capture only tcp (or arp or icmp or udp):
# tcpdump -i eth0 tcp
Capture a particular port:
# tcpdump -i eth0 port 80
We can also invert the match to capture everything except port 80 like:
# tcpdump -i eth0 'port !80'
A range of ports:
# tcpdump -vvn -i eth0 portrange 10000-20000
From a particular address:
# tcpdump -i eth0 src 10.0.0.11
To a particular address:
# tcpdump -i eth0 dst 10.0.0.100
From 10.0.0.10 or 10.0.0.223 to dns that return a result of 127.0.0.1:
# tcpdump -lvv -i eth0 '(host 10.0.0.10 or host 10.0.0.223) and (port 53)' | grep '127.0.0.1'
Don’t capture particular ports:
# tcpdump -lnvv -i em2 'host 10.0.0.63 and (not port 80 and not port 443)'
Capture to files, with each file of a limited duration:
# tcpdump -n -G 3600 -i eth0 -w 'foo_%Y-%m-%d_%H:%M:%S.pcap'
Read a previously captures .pcap file:
% /usr/sbin/tcpdump -vvvr foo.pcap | less
% /usr/sbin/tcpdump -vvvXXAr foo.pcap | less
Looks for ICMPv6 echo replies (type 129; echo requests are type 128):
% tcpdump -lnvv -i em1 "ip6[40]=129"
% tcpdump -lnvv -i em0 "ip6[40]=129 or ip6[40]=128"
By default, tcp dump caputures only a limited number of bytes from each packet. The -s flag lets us specify the number of bytes.
View blocked packets from a pf log:
# tcpdump -env '(host 10.0.2.12) and action block' -r /var/log/pflog
Sample output:
--- falstaff 11:40AM ~ % sudo tcpdump -i br0 -vv port domain --direction=in
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:41:27.035874 IP (tos 0x40, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 93)
cdns01.comcast.net.domain > 10.0.0.76.36412: [udp sum ok] 65467 q: A? clyde.devilghost.com. 1/0/1 clyde.devilghost.com. A 107.191.51.254 ar: . OPT UDPsize=512 (65)
11:41:27.037153 IP (tos 0x0, ttl 128, id 5166, offset 0, flags [DF], proto UDP (17), length 150)
wolf.example.com.domain > 10.0.0.76.48943: [udp sum ok] 10357 NXDomain* q: PTR? 76.0.0.10.in-addr.arpa. 0/1/0 ns: 0.0.10.in-addr.arpa. SOA wolf.example.com. admin.example.com. 6089 900 600 86400 3600 (122)
11:41:27.067084 IP (tos 0x0, ttl 128, id 5168, offset 0, flags [DF], proto UDP (17), length 102)
wolf.example.com.domain > 10.0.0.76.51561: [udp sum ok] 30157 q: PTR? 75.75.75.75.in-addr.arpa. 1/0/0 75.75.75.75.in-addr.arpa. PTR cdns01.comcast.net. (74)
11:41:27.067863 IP (tos 0x0, ttl 128, id 5169, offset 0, flags [DF], proto UDP (17), length 102)
wolf.example.com.domain > 10.0.0.76.58609: [udp sum ok] 42272* q: PTR? 2.0.0.10.in-addr.arpa. 1/0/0 2.0.0.10.in-addr.arpa. PTR wolf.example.com. (74)
11:41:32.259912 IP (tos 0x20, ttl 46, id 2551, offset 0, flags [none], proto UDP (17), length 93)
google-public-dns-a.google.com.domain > 10.0.0.76.36508: [udp sum ok] 7345 q: A? clyde.devilghost.com. 1/0/1 clyde.devilghost.com. A 107.191.51.254 ar: . OPT UDPsize=512 (65)
11:41:32.260710 IP (tos 0x0, ttl 128, id 5528, offset 0, flags [DF], proto UDP (17), length 110)
wolf.example.com.domain > 10.0.0.76.56131: [udp sum ok] 46898 q: PTR? 8.8.8.8.in-addr.arpa. 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82)