tcpdump flags and BPF filter reference
Complete reference for tcpdump flags, output formats, and Berkeley Packet Filter expression syntax.
tcpdump flags and BPF filter reference
Complete reference for tcpdump flags, output formats, and Berkeley Packet Filter expression syntax.
tcpdump Command Flags
| Flag | Description | Example |
|---|---|---|
-i IFACE | Capture on a specific interface. Use
any for all. | tcpdump -i eth0 |
-D | List available interfaces for capture. | tcpdump -D |
-c N | Stop after capturing N packets. | tcpdump -c 100 |
-w FILE | Write raw packets to a pcap file. | tcpdump -w capture.pcap |
-r FILE | Read packets from a pcap file. | tcpdump -r capture.pcap |
-n | Do not resolve hostnames. | tcpdump -n |
-nn | Do not resolve hostnames or port names. | tcpdump -nn |
-v/
-vv/
-vvv | Increase verbosity level. | tcpdump -vv |
-A | Print packet contents in ASCII. | tcpdump -A port 80 |
-X | Print packet contents in hex and ASCII. | tcpdump -X |
-s N | Capture N bytes per packet (0 = full packet). | tcpdump -s 0 |
-G SECS | Rotate capture files every N seconds. | tcpdump -G 3600 -w file_%H.pcap |
-C MB | Rotate capture files every N megabytes. | tcpdump -C 100 |
-W N | Keep only N rotation files. | tcpdump -W 10 |
-q | Quiet output — print less protocol information. | tcpdump -q |
-e | Print link-layer (MAC) headers. | tcpdump -e |
BPF Filter Expressions
| Filter | Description | Example |
|---|---|---|
host IP | Match traffic to/from a specific host. | tcpdump host 203.0.113.1 |
src IP | Match traffic from a source IP. | tcpdump src 10.0.0.1 |
dst IP | Match traffic to a destination IP. | tcpdump dst 10.0.0.2 |
port N | Match traffic on a specific port (src or dst). | tcpdump port 443 |
src port N | Match traffic from a source port. | tcpdump src port 22 |
dst port N | Match traffic to a destination port. | tcpdump dst port 80 |
tcp | Match TCP packets only. | tcpdump tcp |
udp | Match UDP packets only. | tcpdump udp |
icmp | Match ICMP packets only. | tcpdump icmp |
net CIDR | Match traffic to/from a subnet. | tcpdump net 10.0.0.0/24 |
and | Combine filters with logical AND. | tcpdump host 10.0.0.1 and port 22 |
or | Combine filters with logical OR. | tcpdump port 80 or port 443 |
not | Negate a filter. | tcpdump not port 22 |
portrange N-M | Match a range of ports. | tcpdump portrange 8000-9000 |
TCP Flag Filters
| Filter | Description | Example |
|---|---|---|
tcp[tcpflags] & tcp-syn != 0 | Match SYN packets (connection initiation). | tcpdump 'tcp[tcpflags] & tcp-syn != 0' |
tcp[tcpflags] & tcp-rst != 0 | Match RST packets (connection reset). | tcpdump 'tcp[tcpflags] & tcp-rst != 0' |
tcp[tcpflags] & tcp-fin != 0 | Match FIN packets (connection close). | tcpdump 'tcp[tcpflags] & tcp-fin != 0' |