Tcpdump
Filter examples
Get LLDP traffic:
tcpdump -i <INTERFACE> ether proto 0x88cc -vvvv
Get traffic within a VLAN:
tcpdump -i <INTERFACE> vlan <vlan_id>
Get traffic sent to a specific host to a particular port
tcpdump -i <INTERFACE> <PROTOCOL> dst port <PORT> and dst host <HOSTNAME_OR_IP>
Main command Line options
| Option | Argument | Description |
|---|---|---|
| -A | N/A | Print each packet in ASCII. |
| -c | count | Exit after receiving count packets. |
| -C | file size | The file size in millions of bytes for each file during capture. |
| -D | N/A | Print the list of the network interfaces on which tcpdump can capture packets |
| -e | N/A | Print the link-level header (MAC address) on each dump line. |
| -F | file | Use file as input for the filter expression |
| -G | rotate_seconds | Rotates the dump file specified with the -w option every rotate_seconds seconds. |
| -i | interface | Listen on interface. |
| -n | N/A | Don’t convert host addresses to names. |
| -nn | N/A | Don’t convert protocol and port numbers etc. to names either. |
| -N | N/A | Don’t print domain name qualification of host names. |
| -p | N/A | Don’t put the interface into promiscuous mode. |
| -q | N/A | Print less protocol information so output lines are shorter. |
| -r | file | Read packets from file |
| -s | snaplen | Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes |
| -S | N/A | Print absolute, rather than relative, TCP sequence numbers. |
| -tt | N/A | Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line. |
| -v | N/A | When parsing and printing, produce (slightly more) verbose output. |
| -vvv | N/A | Even more verbose output. |
| -w | file | Write the raw packets to file rather than parsing and printing them out. |
| -W | N/A | Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a ‘rotating’ buffer. |