Original Publication Date: 05/16/2007
Updated Date: 08/01/2016
The tcpdump utility is a command line packet sniffer with many features and options. For a full description, refer to the tcpdump man pages by typing the following command:
Following are examples of commands used to run the tcpdump utility:
The tcpdump utility's interface or -i option accepts only one option. This option may be a numbered interface or a named VLAN.
To view traffic, use the -i flag as follows:
tcpdump -i <option>
To view the traffic on a single specific interface:
tcpdump -i 2.1
To view the traffic on a specific VLAN called internal:
tcpdump -i internal
To view the traffic on the management interface:
tcpdump -i eth0
To view the traffic on all interfaces:
tcpdump -i 0.0
Important: Running tcpdump on interface 0.0 is not rate-limited and has the potential to create very large files. F5 recommends this option only when using filters to limit the size of the capture. Review the Filters section prior to using this option.
Note: Do not attempt to run tcpdump on an interface that contains a colon.
By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output. The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the -n flag as in the following examples:
tcpdump -ni internal
You can save the tcpdump data to one of the following file formats:
When working with F5 Technical Support, you must provide the tcpdump output in the binary file format.
To save the tcpdump output to a binary file, type the following command:
tcpdump -w <filename>
tcpdump -w dump1.bin
Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.
To save the tcpdump output to a text file, type the following command:
To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:
tcpdump -r <filename>
tcpdump -r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if it were reading from the network interface. As a result, you can use formatting commands and filters.
Beginning in BIG-IP 11.2.0-HF3, 11.2.1-HF3, and 11.3.0, a pseudo header which includes the following parameters is added to the start of each binary tcpdump capture:
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses, ports, and tcp flags.
tcpdump host <IP address>
tcpdump host 10.90.100.1
tcpdump src host <IP address>
tcpdump src host 10.90.100.1
tcpdump dst host <IP address>
tcpdump dst host 10.90.100.1
tcpdump port <port number>
tcpdump port 80
tcpdump src port<port number>
tcpdump src port 80
tcpdump dst port <port number>
tcpdump dst port 80
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host 10.90.100.1
The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero).
tcpdump -s0 src host 172.16.101.20 and dst port 80
Alternatively, you can specify a length large enough to capture the packet data you need to examine.
tcpdump -s200 src host 172.16.101.20 and dst port 80
If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output.
tcpdump -r dump1.bin -X src host 172.16.101.20 and dst port 80
The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should disable name resolution while capturing on a busy system using the -n option.
tcpdump -n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while performing a capture. You can disable both name and service port resolution while performing a capture, by using the -nn option.
tcpdump -nn src host 172.16.101.20 and dst port 80
This article contains the most essential tcpdump options. You will generally need to use most of the options in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -ni internal -w dump1.bin
tcpdump -n -r dump1.bin host 10.90.100.1
tcpdump -ni 2.1 host 10.90.100.1 and port 80
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162
The following articles cover advanced tcpdump topics: