The tcpdump utility is a command-line network packet analyser. It is absolutely essential for diagnosing networking issues from the server side.

The basic format of the tcpdump command is:

~ # tcpdump [ options ] [ filter ]
~ # tcpdump -A -i eth0 -vv 'port 80'
~ # tcpdump -i eth0 -vv -x -X -s 1500 'port 80'

Capturing Packets

He are various methods to capture packets using tcpdump, output to terminal.

All Interfaces

Use the special value any as the interface

~ # tcpdump -i any

By Host and/or Port

~ # tcpdump -i eth0 'port 80'
~ # tcpdump -i eth0 'host edoceo-demo.com and port 80'
~ # tcpdump -i eth1 'port 5060'

By Protocol

~ # tcpdump -i eth0 'port 80'
~ # tcpdump -i eth1 'port 5060'

Displaying Output

There are various output formats supported by tcpdump, they would be specified before the filter.

ASCII Output

~ # tcpdump -A -i eth0 
~ # tcpdump -A -i eth0 'port 80'

More Packet Data

Specific length, or zero to get entire packet

~ # tcpdump -s 256 -i eth0
~ # tcpdump -s 0 -i eth0
~ # tcpdump -A -s 0 -i eth0 'port 80'

Numeric Hosts/Ports

~ # tcpdump -n -i eth0
~ # tcpdump -A -n -i eth0 'port 80'

Shorter Hosts/Ports

~ # tcpdump -N -i eth0
~ # tcpdump -A -N -i eth0 'port 80'

Queiter

Using -q supresses some protocol information, -t supresses timestamps.

~ # tcpdump -q -i eth0
~ # tcpdump -t -i eth0
~ # tcpdump -A -n -q -i eth0 'port 80'
~ # tcpdump -A -n -q -t -i eth0 'port 80'

Very Verbose

~ # tcpdump -v -i eth0
~ # tcpdump -vv -i eth0
~ # tcpdump -A -n -vv -i eth0 'port 80'

Advanced Filtering

Print only useful packets from the HTTP traffic

~ # tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

This is useful for debugging Asterisk or FreeSWITCH.

tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

See Also