Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
TCPDUMP(8)		FreeBSD	System Manager's Manual		    TCPDUMP(8)

     tcpdump --	dump traffic on	a network

     tcpdump [-AadefILlNnOopqStvXx] [-B	fildrop] [-c count] [-D	direction]
	     [-E [espalg:]espkey] [-F file] [-i	interface] [-r file]
	     [-s snaplen] [-T type] [-w	file] [-y datalinktype]	[expression]

     tcpdump prints out	the headers of packets on a network interface that
     match the boolean expression.  You	must have read access to /dev/bpf.

     The options are as	follows:

     -A	       Print each packet in ASCII.  If the -e option is	also speci-
	       fied, the link-level header will	be included.  The smaller of
	       the entire packet or snaplen bytes will be printed.

     -a	       Attempt to convert network and broadcast	addresses to names.

     -B	fildrop
	       Configure the drop action specified by fildrop to be used when
	       the filter expression matches a packet.	The actions are:

		     pass     Matching packets are accepted and	captured.
		     capture  Matching packets are dropped and captured.
		     drop     Matching packets are dropped but not captured.

	       The default action is pass.

     -c	count  Exit after receiving count packets.

     -D	direction
	       Select packets flowing in the specified direction.  Valid di-
	       rections	are: in	and out.  The default is to accept packets
	       flowing in any direction.

     -d	       Dump the	compiled packet-matching code in a human readable form
	       to standard output and stop.

     -dd       Dump packet-matching code as a C	program	fragment.

     -ddd      Dump packet-matching code as decimal numbers preceded with a

     -E	[espalg:]espkey
	       Try to decrypt RFC 4835 ESP (Encapsulating Security Payload)
	       traffic using the specified hex key espkey.  Supported algo-
	       rithms for espalg are: aes128, aes128-hmac96, blowfish,
	       blowfish-hmac96,	cast, cast-hmac96, des3, des3-hmac96, des and
	       des-hmac96.  The	algorithm defaults to aes128-hmac96.  This op-
	       tion should be used for debugging only, since the key will show
	       up in ps(1) output.

     -e	       Print the link-level header on each dump	line.

     -F	file   Use file	as input for the filter	expression.  Any additional
	       expressions given on the	command	line are ignored.

     -f	       Print "foreign" internet	addresses numerically rather than sym-
	       bolically.  This	option is intended to get around serious brain
	       damage in Sun's yp server -- usually it hangs forever translat-
	       ing non-local internet numbers.

     -I	       Print the interface on each dump	line.

     -i	interface
	       Listen on interface.  If	unspecified, tcpdump searches the sys-
	       tem interface list for the lowest numbered, configured "up" in-
	       terface (excluding loopback).  Ties are broken by choosing the
	       earliest	match.	interface may be either	a network interface or
	       a USB interface,	for example usb0.

     -L	       List the	supported data link types for the interface and	exit.

     -l	       Make stdout line	buffered.  Useful if you want to see the data
	       while capturing it.  For	example:

		     # tcpdump -l | tee	dat
		     # tcpdump -l > dat	& tail -f dat

     -N	       Do not print domain name	qualification of host names.  For ex-
	       ample, if you specify this flag then tcpdump will print "nic"
	       instead of "".

     -n	       Do not convert addresses	(host addresses, port numbers, etc.)
	       to names.

     -O	       Do not run the packet-matching code optimizer.  This is useful
	       only if you suspect a bug in the	optimizer.

     -o	       Print a guess of	the possible operating system(s) of hosts that
	       sent TCP	SYN packets.  See pf.os(5) for a description of	the
	       passive operating system	fingerprints.

     -p	       Do not put the interface	into promiscuous mode.	The interface
	       might be	in promiscuous mode for	some other reason; hence, -p
	       cannot be used as an abbreviation for "ether host
	       "{local-hw-addr}"" or "ether broadcast".

     -q	       Quick (quiet?) output.  Print less protocol information so out-
	       put lines are shorter.

     -r	file   Read packets from a file	which was created with the -w option.
	       Standard	input is used if file is `-'.

     -S	       Print absolute, rather than relative, TCP sequence numbers.

     -s	snaplen
	       Analyze at most the first snaplen bytes of data from each
	       packet rather than the default of 116.  116 bytes is adequate
	       for IPv6, ICMP, TCP, and	UDP, but may truncate protocol infor-
	       mation from name	server and NFS packets (see below).  Packets
	       truncated because of a limited snaplen are indicated in the
	       output with "[|proto]", where proto is the name of the protocol
	       level at	which the truncation has occurred.  Taking larger
	       snapshots both increases	the amount of time it takes to process
	       packets and, effectively, decreases the amount of packet
	       buffering.  This	may cause packets to be	lost.  You should
	       limit snaplen to	the smallest number that will capture the pro-
	       tocol information you're	interested in.

     -T	type   Force packets selected by expression to be interpreted as the
	       specified type.	Currently known	types are:

		     cnfp    Cisco NetFlow protocol
		     erspan  Cisco Encapsulated	Remote Switch Port Analyzer
			     (ERSPAN) over GRE
		     geneve  Generic Network Virtualization Encapsulation
		     gre     Generic Routing Encapsulation over	UDP
		     mpls    Multiprocol Label Switching over UDP
		     rpc     Remote Procedure Call
		     rtcp    Real-Time Applications control protocol
		     rtp     Real-Time Applications protocol
		     sack    RFC 2018 TCP Selective Acknowledgements Options
		     tcp     Transmission Control Protocol
		     tftp    Trivial File Transfer Protocol
		     vat     Visual Audio Tool
		     vrrp    Virtual Router Redundancy protocol
		     vxlan   Virtual eXtensible	Local Area Network
		     wb	     distributed White Board
		     wg	     WireGuard tunnel

     -t	       Do not print a timestamp	on each	dump line.

     -tt       Print an	unformatted timestamp on each dump line.

     -ttt      Print day and month in timestamp.

     -tttt     Print timestamp difference between packets.

     -ttttt    Print timestamp difference since	the first packet.

     -v	       (Slightly more) verbose output.	For example, the time to live
	       (TTL) and type of service (ToS) information in an IP packet are

     -vv       Even more verbose output.  For example, additional fields are
	       printed from NFS	reply packets.

     -w	file   Write the raw packets to	file rather than parsing and printing
	       them out.  They can be analyzed later with the -r option.
	       Standard	output is used if file is `-'.

     -X	       Print each packet in hex	and ASCII.  If the -e option is	also
	       specified, the link-level header	will be	included.  The smaller
	       of the entire packet or snaplen bytes will be printed.

     -x	       Print each packet in hex.  If the -e option is also specified,
	       the link-level header will be included.	The smaller of the en-
	       tire packet or snaplen bytes will be printed.

     -y	datalinktype
	       Set the data link type to use while capturing to	datalinktype.
	       Commonly	used types include EN10MB, IEEE802_11, and
	       IEEE802_11_RADIO.  The choices applicable to a particular de-
	       vice can	be listed using	-L.

     expression	selects	which packets will be dumped.  If no expression	is
     given, all	packets	on the net will	be dumped.  Otherwise, only packets
     satisfying	expression will	be dumped.

     The expression consists of	one or more primitives.	 Primitives usually
     consist of	an id (name or number) preceded	by one or more qualifiers.
     There are three different kinds of	qualifiers:

     type   Specify which kind of address component the	id name	or number
	    refers to.	Possible types are host, net and port.	E.g., "host
	    foo", "net 128.3", "port 20".  If there is no type qualifier, host
	    is assumed.

     dir    Specify a particular transfer direction to and/or from id.	Possi-
	    ble	directions are src, dst, src or	dst, src and dst, addr1,
	    addr2, addr3, and addr4.  E.g., "src foo", "dst net	128.3",	"src
	    or dst port	ftp-data".  If there is	no dir qualifier, src or dst
	    is assumed.	 The addr1, addr2, addr3, and addr4 qualifiers are
	    only valid for IEEE	802.11 Wireless	LAN link layers.  For null
	    link layers	(i.e., point-to-point protocols	such as	SLIP (Serial
	    Line Internet Protocol) or the pflog(4) header), the inbound and
	    outbound qualifiers	can be used to specify a desired direction.

     proto  Restrict the match to a particular protocol.  Possible protocols
	    are: ah, arp, atalk, decnet, esp, ether, fddi, icmp, icmp6,	igmp,
	    igrp, ip, ip6, lat,	mopdl, moprc, pim, rarp, sca, stp, tcp,	udp,
	    and	wlan.  E.g., "ether src	foo", "arp net 128.3", "tcp port 21",
	    "wlan addr1	0:2:3:4:5:6".  If there	is no protocol qualifier, all
	    protocols consistent with the type are assumed.  E.g., "src	foo"
	    means "(ip or arp or rarp) src foo"	(except	the latter is not
	    legal syntax); "net	bar" means "(ip	or arp or rarp)	net bar"; and
	    "port 53" means "(TCP or UDP) port 53".

	    fddi is actually an	alias for ether; the parser treats them	iden-
	    tically as meaning "the data link level used on the	specified
	    network interface".	 FDDI (Fiber Distributed Data Interface) head-
	    ers	contain	Ethernet-like source and destination addresses,	and
	    often contain Ethernet-like	packet types, so you can filter	on
	    these FDDI fields just as with the analogous Ethernet fields.
	    FDDI headers also contain other fields, but	you cannot name	them
	    explicitly in a filter expression.

     In	addition to the	above, there are some special primitive	keywords that
     don't follow the pattern: gateway,	broadcast, less, greater, and arith-
     metic expressions.	 All of	these are described below.

     More complex filter expressions are built up by using the words and, or,
     and not to	combine	primitives e.g., "host foo and not port	ftp and	not
     port ftp-data".  To save typing, identical	qualifier lists	can be omitted
     e.g., "tcp	dst port ftp or	ftp-data or domain" is exactly the same	as
     "tcp dst port ftp or tcp dst port ftp-data	or tcp dst port	domain".

     Allowable primitives are:

     dst host host	True if	the IP destination field of the	packet is
			host, which may	be either an address or	a name.

     src host host	True if	the IP source field of the packet is host.

     host host		True if	either the IP source or	destination of the
			packet is host.

			Any of the above host expressions can be prepended
			with the keywords, ip, arp, or rarp as in:

			      ip host host

			which is equivalent to:

			      ether proto ip and host host

			If host	is a name with multiple	IP addresses, each ad-
			dress will be checked for a match.

     ether dst ehost	True if	the Ethernet destination address is ehost.
			ehost may be either a name from	/etc/ethers or a num-
			ber (see ether_aton(3) for a numeric format).

     ether src ehost	True if	the Ethernet source address is ehost.

     ether host	ehost	True if	either the Ethernet source or destination ad-
			dress is ehost.

     gateway host	True if	the packet used	host as	a gateway; i.e., the
			Ethernet source	or destination address was host	but
			neither	the IP source nor the IP destination was host.
			host must be a name and	must be	found in both
			/etc/hosts and /etc/ethers.  An	equivalent expression

			      ether host ehost and not host host

			which can be used with either names or numbers for

     dst net net	True if	the IP destination address of the packet has a
			network	number of net.	net may	be either a name from
			/etc/hosts or a	network	number (see hosts(5) for de-

     src net net	True if	the IP source address of the packet has	a net-
			work number of net.

     net net		True if	either the IP source or	destination address of
			the packet has a network number	of net.

     dst port port	True if	the packet is IP/TCP or	IP/UDP and has a des-
			tination port value of port.  The port can be a	number
			or name	from services(5) (see tcp(4) and udp(4)).  If
			a name is used,	both the port number and protocol are
			checked.  If a number or ambiguous name	is used, only
			the port number	is checked; e.g., "dst port 513" will
			print both TCP/login traffic and UDP/who traffic, and
			"dst port domain" will print both TCP/domain and
			UDP/domain traffic.

     src port port	True if	the packet has a source	port value of port.

     port port		True if	either the source or destination port of the
			packet is port.

			Any of the above port expressions can be prepended
			with the keywords tcp or udp, as in:

			      tcp src port port

			which matches only TCP packets whose source port is

     less length	True if	the packet has a length	less than or equal to
			length.	 This is equivalent to:

			      len <= length

     greater length	True if	the packet has a length	greater	than or	equal
			to length.  This is equivalent to:

			      len >= length

     ip	proto proto	True if	the packet is an IP packet (see	ip(4)) of pro-
			tocol type proto.  proto can be	a number or name from
			protocols(5), such as icmp, udp, or tcp.  These	iden-
			tifiers	are also keywords and must be escaped using a
			backslash character (`\').

     ether broadcast	True if	the packet is an Ethernet broadcast packet.
			The ether keyword is optional.

     ip	broadcast	True if	the packet is an IP broadcast packet.  It
			checks for both	the all-zeroes and all-ones broadcast
			conventions and	looks up the local subnet mask.

     ether multicast	True if	the packet is an Ethernet multicast packet.
			The ether keyword is optional.	This is	shorthand for
			"ether[0] & 1 != 0".

     ip	multicast	True if	the packet is an IP multicast packet.

     ether proto proto	True if	the packet is of ether type proto.  proto can
			be a number or one of the names	ip, ip6, arp, rarp,
			atalk, atalkarp, decnet, decdts, decdns, lanbridge,
			lat, mopdl, moprc, pup,	sca, sprite, stp, vexp,	vprod,
			or xns.	 These identifiers are also keywords and must
			be escaped using a backslash character (`\').  In the
			case of	FDDI (e.g., "fddi protocol arp"), the protocol
			identification comes from the 802.2 Logical Link Con-
			trol (LLC) header, which is usually layered on top of
			the FDDI header.  tcpdump assumes, when	filtering on
			the protocol identifier, that all FDDI packets include
			an LLC header, and that	the LLC	header is in so-called
			SNAP format.

     decnet src	host	True if	the DECNET source address is host, which may
			be an address of the form "10.123", or a DECNET	host
			name.  DECNET host name	support	is only	available on
			systems	that are configured to run DECNET.

     decnet dst	host	True if	the DECNET destination address is host.

     decnet host host	True if	either the DECNET source or destination	ad-
			dress is host.

     ifname interface	True if	the packet was logged as coming	from the spec-
			ified interface	(applies only to packets logged	by

     on	interface	Synonymous with	the ifname modifier.

     rnr num		True if	the packet was logged as matching the speci-
			fied PF	rule number in the main	ruleset	(applies only
			to packets logged by pf(4)).

     rulenum num	Synonymous with	the rnr	modifier.

     reason code	True if	the packet was logged with the specified PF
			reason code.  The known	codes are: match, bad-offset,
			fragment, short, normalize, memory, bad-timestamp,
			congestion, ip-option, proto-cksum, state-mismatch,
			state-insert, state-limit, src-limit, and synproxy
			(applies only to packets logged	by pf(4)).

     rset name		True if	the packet was logged as matching the speci-
			fied PF	ruleset	name of	an anchored ruleset (applies
			only to	packets	logged by pf(4)).

     ruleset name	Synonymous with	the rset modifier.

     srnr num		True if	the packet was logged as matching the speci-
			fied PF	rule number of an anchored ruleset (applies
			only to	packets	logged by pf(4)).

     subrulenum	num	Synonymous with	the srnr modifier.

     action act		True if	PF took	the specified action when the packet
			was logged.  Valid actions are:	pass, block, and match
			(applies only to packets logged	by pf(4)).

     wlan addr1	ehost	True if	the first IEEE 802.11 address is ehost.

     wlan addr2	ehost	True if	the second IEEE	802.11 address is ehost.

     wlan addr3	ehost	True if	the third IEEE 802.11 address is ehost.

     wlan addr4	ehost	True if	the fourth IEEE	802.11 address is ehost.  The
			fourth address field is	only used for WDS (Wireless
			Distribution System) frames.

     wlan host ehost	True if	either the first, second, third, or fourth
			IEEE 802.11 address is ehost.

     type type		True if	the IEEE 802.11	frame type matches the speci-
			fied type.  Valid types	are: data, mgt,	ctl, or	a nu-
			meric value.

     subtype subtype	True if	the IEEE 802.11	frame subtype matches the
			specified subtype.  Valid subtypes are:	assocreq,
			assocresp, reassocreq, reassocresp, probereq,
			proberesp, beacon, atim, disassoc, auth, deauth, data,
			or a numeric value.

     dir dir		True if	the IEEE 802.11	frame direction	matches	the
			specified dir.	Valid directions are: nods, tods,
			fromds,	dstods,	or a numeric value.

     atalk, ip,	ip6, arp, decnet, lat, moprc, mopdl, rarp, sca
			Abbreviations for: ether proto p where p is one	of the
			above protocols.  tcpdump does not currently know how
			to parse lat, moprc, or	mopdl.

     ah, esp, icmp, icmp6, igmp, igrp, pim, tcp, udp
			Abbreviations for: ip proto p where p is one of	the
			above protocols.

     expr relop	expr	True if	the relation holds, where relop	is one of `>',
			`<', `>=', `<=', `=', `!=', and	expr is	an arithmetic
			expression composed of integer constants (expressed in
			standard C syntax), the	normal binary operators	(`+',
			`-', `*', `/', `&', `|'), a length operator, and spe-
			cial packet data accessors.  To	access data inside the
			packet,	use the	following syntax:


			proto is one of	ether, fddi, ip, arp, rarp, tcp, udp,
			or icmp, and indicates the protocol layer for the in-
			dex operation.	The byte offset, relative to the indi-
			cated protocol layer, is given by expr.	 size is op-
			tional and indicates the number	of bytes in the	field
			of interest; it	can be either one, two,	or four, and
			defaults to one.  The length operator, indicated by
			the keyword len, gives the length of the packet.

			For example, "ether[0] & 1 != 0" catches all multicast
			traffic.  The expression "ip[0]	& 0xf != 5" catches
			all IP packets with options.  The expression "ip[6:2]
			& 0x1fff = 0" catches only unfragmented	datagrams and
			frag zero of fragmented	datagrams.  This check is im-
			plicitly applied to the	tcp and	udp index operations.
			For instance, "tcp[0]" always means the	first byte of
			the TCP	header,	and never means	the first byte of an
			intervening fragment.

     Primitives	may be combined	using a	parenthesized group of primitives and
     operators.	 Parentheses are special to the	shell and must be escaped.
     Allowable primitives and operators	are:

	   Negation ("!" or "not")

	   Concatenation ("&&" or "and")

	   Alternation ("||" or	"or")

     Negation has highest precedence.  Alternation and concatenation have
     equal precedence and associate left to right.  Explicit and tokens, not
     juxtaposition, are	now required for concatenation.

     If	an identifier is given without a keyword, the most recent keyword is
     assumed.  For example,

	   not host vs and ace

     is	short for

	   not host vs and host	ace

     which should not be confused with

	   not (host vs	or ace)

     Expression	arguments can be passed	to tcpdump as either a single argument
     or	as multiple arguments, whichever is more convenient.  Generally, if
     the expression contains shell metacharacters, it is easier	to pass	it as
     a single, quoted argument.	 Multiple arguments are	concatenated with spa-
     ces before	being parsed.

     To	print all packets arriving at or departing from	sundown:

	   # tcpdump host sundown

     To	print traffic between helios and either	hot or ace (the	expression is
     quoted to prevent the shell from misinterpreting the parentheses):

	   # tcpdump 'host helios and (hot or ace)'

     To	print all IP packets between ace and any host except helios:

	   # tcpdump ip	host ace and not helios

     To	print all traffic between local	hosts and hosts	at Berkeley:

	   # tcpdump net ucb-ether

     To	print all FTP traffic through internet gateway snup:

	   # tcpdump 'gateway snup and (port ftp or ftp-data)'

     To	print traffic neither sourced from nor destined	for local network (if	you gateway to one other net, this stuff should	never
     make it onto your local network):

	   # tcpdump ip	and not	net

     To	print the start	and end	packets	(the SYN and FIN packets) of each TCP
     connection	that involves a	host that is not in local network

	   # tcpdump 'tcp[13] &	3 != 0 and not src and dst net'

     To	print only the SYN packets of HTTP connections:

	   # tcpdump 'tcp[tcpflags] = tcp-syn and port http'

     To	print IP packets longer	than 576 bytes sent through gateway snup:

	   # tcpdump 'gateway snup and ip[2:2] > 576'

     To	print IP broadcast or multicast	packets	that were not sent via Ether-
     net broadcast or multicast:

	   # tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

     To	print all ICMP packets that are	not echo requests/replies (i.e., not
     ping packets):

	   # tcpdump 'icmp[0] != 8 and icmp[0] != 0'

     To	print only echo	request	ICMP packets:

	   # tcpdump 'icmp[icmptype] = icmp-echo'

     To	print and decrypt all ESP packets with SPI 0x00001234:

	   # tcpdump -E	des3-hmac96:ab...def 'ip[20:4] = 0x00001234'

     To	print raw wireless frames passing the iwn0 interface:
	   # tcpdump -i	iwn0 -y	IEEE802_11_RADIO -v

     The output	of tcpdump is protocol dependent.  The following gives a brief
     description and examples of most of the formats.

   Link	Level Headers
     If	the -e option is given,	the link level header is printed out.  On Eth-
     ernets, the source	and destination	addresses, protocol, and packet	length
     are printed.

     On	the packet filter logging interface pflog(4), logging reason (rule
     match, bad-offset,	fragment, bad-timestamp, short,	normalize, memory),
     action taken (pass/block),	direction (in/out) and interface information
     are printed out for each packet.

     On	FDDI networks, the -e option causes tcpdump to print the frame control
     field, the	source and destination addresses, and the packet length.  The
     frame control field governs the interpretation of the rest	of the packet.
     Normal packets (such as those containing IP datagrams) are	"async"	pack-
     ets, with a priority value	between	0 and 7; for example, async4.  Such
     packets are assumed to contain an 802.2 Logical Link Control (LLC)
     packet; the LLC header is printed if it is	not an ISO datagram or a so-
     called SNAP packet.

     The following description assumes familiarity with	the SLIP compression
     algorithm described in RFC	1144.

     On	SLIP links, a direction	indicator (`I' for inbound, `O'	for outbound),
     packet type, and compression information are printed out.	The packet
     type is printed first.  The three types are ip, utcp, and ctcp.  No fur-
     ther link information is printed for IP packets.  For TCP packets,	the
     connection	identifier is printed following	the type.  If the packet is
     compressed, its encoded header is printed out.  The special cases are
     printed out as *S+n and *SA+n, where n is the amount by which the se-
     quence number (or sequence	number and ack)	has changed.  If it is not a
     special case, zero	or more	changes	are printed.  A	change is indicated by
     `U' (urgent pointer), `W' (window), `A' (ack), `S'	(sequence number), and
     `I' (packet ID), followed by a delta (+n or -n), or a new value (=n).
     Finally, the amount of data in the	packet and compressed header length
     are printed.

     For example, the following	line shows an outbound compressed TCP packet,
     with an implicit connection identifier; the ack has changed by 6, the se-
     quence number by 49, and the packet ID by 6; there	are 3 bytes of data
     and 6 bytes of compressed header:

	   O ctcp * A +6 S +49 I +6 3 (6)

   ARP/RARP Packets
     arp/rarp output shows the type of request and its arguments.  The format
     is	intended to be self-explanatory.  Here is a short sample taken from
     the start of an rlogin from host rtsg to host csam:

	   arp who-has csam tell rtsg
	   arp reply csam is-at	CSAM

     In	this example, Ethernet addresses are in	caps and internet addresses in
     lower case.  The first line says that rtsg	sent an	arp packet asking for
     the Ethernet address of internet host csam.  csam replies with its	Ether-
     net address CSAM.

     This would	look less redundant if we had done tcpdump -n:

	   arp who-has tell
	   arp reply is-at 02:07:01:00:01:c4

     If	we had done tcpdump -e,	the fact that the first	packet is broadcast
     and the second is point-to-point would be visible:

	   RTSG	Broadcast 0806 64: arp who-has csam tell rtsg
	   CSAM	RTSG 0806 64: arp reply	csam is-at CSAM

     For the first packet this says the	Ethernet source	address	is RTSG, the
     destination is the	Ethernet broadcast address, the	type field contained
     hex 0806 (type ETHER_ARP) and the total length was	64 bytes.

   TCP Packets
     The following description assumes familiarity with	the TCP	protocol de-
     scribed in	RFC 793.  If you are not familiar with the protocol, neither
     this description nor tcpdump will be of much use to you.

     The general format	of a TCP protocol line is:

	   src > dst: flags src-os data-seqno ack window urgent	options

     src and dst are the source	and destination	IP addresses and ports.	 flags
     is	some combination of `S'	(SYN), `F' (FIN), `P' (PUSH), or `R' (RST),
     `W' (congestion Window reduced), `E' (ecn ECHO) or	a single `.' (no
     flags).  src-os will list a guess of the source host's operating system
     if	the -o command line flag was passed to tcpdump.	 data-seqno describes
     the portion of sequence space covered by the data in this packet (see
     example below).  ack is the sequence number of the	next data expected by
     the other end of this connection.	window is the number of	bytes of re-
     ceive buffer space	available at the other end of this connection.	urgent
     indicates there is	urgent data in the packet.  options are	TCP options
     enclosed in angle brackets	e.g., <mss 1024>.

     src, dst and flags	are always present.  The other fields depend on	the
     contents of the packet's TCP protocol header and are output only if ap-

     Here is the opening portion of an rlogin from host	rtsg to	host csam.

       rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss	1024>
       csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
       rtsg.1023 > csam.login: . ack 1 win 4096
       rtsg.1023 > csam.login: P 1:2(1)	ack 1 win 4096
       csam.login > rtsg.1023: . ack 2 win 4096
       rtsg.1023 > csam.login: P 2:21(19) ack 1	win 4096
       csam.login > rtsg.1023: P 1:2(1)	ack 21 win 4077
       csam.login > rtsg.1023: P 2:3(1)	ack 21 win 4077	urg 1
       csam.login > rtsg.1023: P 3:4(1)	ack 21 win 4077	urg 1

     The first line says that TCP port 1023 on rtsg sent a packet to port lo-
     gin on host csam.	The `S'	indicates that the SYN flag was	set.  The
     packet sequence number was	768512 and it contained	no data.  The notation
     is	`first:last(nbytes)' which means sequence numbers first	up to but not
     including last which is nbytes bytes of user data.	 There was no piggy-
     backed ack, the available receive window was 4096 bytes and there was a
     max-segment-size option requesting	an mss of 1024 bytes.

     Csam replies with a similar packet	except it includes a piggy-backed ack
     for rtsg's	SYN.  Rtsg then	acks csam's SYN.  The `.' means	no flags were
     set.  The packet contained	no data	so there is no data sequence number.
     The ack sequence number is	a 32-bit integer.  The first time tcpdump sees
     a TCP connection, it prints the sequence number from the packet.  On sub-
     sequent packets of	the connection,	the difference between the current
     packet's sequence number and this initial sequence	number is printed.
     This means	that sequence numbers after the	first can be interpreted as
     relative byte positions in	the connection's data stream (with the first
     data byte each direction being 1).	 -S will override this feature,	caus-
     ing the original sequence numbers to be output.

     On	the 6th	line, rtsg sends csam 19 bytes of data (bytes 2	through	20 in
     the rtsg -> csam side of the connection).	The PUSH flag is set in	the
     packet.  On the 7th line, csam says it's received data sent by rtsg up to
     but not including byte 21.	 Most of this data is apparently sitting in
     the socket	buffer since csam's receive window has gotten 19 bytes
     smaller.  Csam also sends one byte	of data	to rtsg	in this	packet.	 On
     the 8th and 9th lines, csam sends two bytes of urgent, pushed data	to

   UDP Packets
     UDP format	is illustrated by this rwho packet:

	   actinide.who	> broadcast.who: udp 84

     This says that port who on	host actinide sent a UDP datagram to port who
     on	host broadcast,	the Internet broadcast address.	 The packet contained
     84	bytes of user data.

     Some UDP services are recognized (from the	source or destination port
     number) and the higher level protocol information printed.	 In particu-
     lar, Domain Name service requests (RFC 1034/1035) and Sun RPC calls (RFC
     1050) to NFS.

   UDP Name Server Requests
     The following description assumes familiarity with	the Domain Service
     protocol described	in RFC 1035.  If you are not familiar with the proto-
     col, the following	description will appear	to be written in Greek.

     Name server requests are formatted	as

	   src > dst: id op? flags qtype qclass	name (len)

     For example:

	   h2opolo.1538	> helios.domain: 3+ A? (37)

     Host h2opolo asked	the domain server on helios for	an address record
     (qtype=A) associated with the name  The query	id was
     3.	 The `+' indicates the recursion desired flag was set.	The query
     length was	37 bytes, not including	the UDP	and IP protocol	headers.  The
     query operation was the normal one	(Query)	so the op field	was omitted.
     If	op had been anything else, it would have been printed between the 3
     and the `+'.  Similarly, the qclass was the normal	one (C_IN) and was
     omitted.  Any other qclass	would have been	printed	immediately after the

     A few anomalies are checked and may result	in extra fields	enclosed in
     square brackets: if a query contains an answer, name server or authority
     section, ancount, nscount,	or arcount are printed as "[na]", "[nn]", or
     "[nau]" where n is	the appropriate	count.	If any of the response bits
     are set (AA, RA or	rcode) or any of the "must be zero" bits are set in
     bytes two and three, "[b2&3=x]" is	printed, where x is the	hex value of
     header bytes two and three.

   UDP Name Server Responses
     Name server responses are formatted as

	   src > dst: id op rcode flags	a / n /	au type	class data (len)

     For example:

	   helios.domain > h2opolo.1538: 3 3/3/7 A	(273)
	   helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)

     In	the first example, helios responds to query id 3 from h2opolo with 3
     answer records, 3 name server records and 7 authority records.  The first
     answer record is type A (address and its data is internet)	address  The	total size of the response was 273 bytes, excluding
     UDP and IP	headers.  The op (Query) and rcode (NoError) were omitted, as
     was the class (C_IN) of the A record.

     In	the second example, helios responds to query op	2 with an rcode	of
     non-existent domain (NXDomain) with no answers, one name server and no
     authority records.	 The `*' indicates that	the authoritative answer bit
     was set.  Since there were	no answers, no type, class or data were

     Other flag	characters that	might appear are `-' (recursion	available, RA,
     not set) and `|' (truncated message, TC, set).  If	the question section
     doesn't contain exactly one entry,	"[nq]" is printed.

     Name server requests and responses	tend to	be large and the default
     snaplen of	96 bytes may not capture enough	of the packet to print.	 Use
     the -s flag to increase the snaplen if you	need to	seriously investigate
     name server traffic.  "-s 128" has	worked well for	me.

   NFS Requests	and Replies
     Sun NFS (Network File System) requests and	replies	are printed as:

	   src.xid > dst.nfs: len op args

	   src.nfs > dst.xid: reply stat len op	results

	   sushi.6709 >	wrl.nfs: 112 readlink fh 21,24/10.73165
	   wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
	   sushi.201b >	wrl.nfs:
		144 lookup fh 9,74/4096.6878 "xcolors"
	   wrl.nfs > sushi.201b:
		reply ok 128 lookup fh 9,74/4134.3150

     In	the first line,	host sushi sends a transaction with ID 6709 to wrl.
     The number	following the src host is a transaction	ID, not	the source
     port.  The	request	was 112	bytes, excluding the UDP and IP	headers.  The
     op	was a readlink (read symbolic link) on fh ("file handle")
     21,24/10.731657119.  If one is lucky, as in this case, the	file handle
     can be interpreted	as a major,minor device	number pair, followed by the
     inode number and generation number.  Wrl replies with a stat of ok	and
     the contents of the link.

     In	the third line,	sushi asks wrl to look up the name "xcolors" in	direc-
     tory file 9,74/4096.6878.	The data printed depends on the	operation
     type.  The	format is intended to be self-explanatory if read in conjunc-
     tion with an NFS protocol spec.

     If	the -v (verbose) flag is given,	additional information is printed.
     For example:

	   sushi.1372a > wrl.nfs:
		148 read fh 21,11/12.195 8192 bytes @ 24576
	   wrl.nfs > sushi.1372a:
		reply ok 1472 read REG 100664 ids 417/0	sz 29388

     -v	also prints the	IP header TTL, ID, and fragmentation fields, which
     have been omitted from this example.  In the first	line, sushi asks wrl
     to	read 8192 bytes	from file 21,11/12.195,	at byte	offset 24576.  Wrl
     replies with a stat of ok;	the packet shown on the	second line is the
     first fragment of the reply, and hence is only 1472 bytes long.  The
     other bytes will follow in	subsequent fragments, but these	fragments do
     not have NFS or even UDP headers and so might not be printed, depending
     on	the filter expression used.  Because the -v flag is given, some	of the
     file attributes (which are	returned in addition to	the file data) are
     printed: the file type (`REG', for	regular	file), the file	mode (in
     octal), the UID and GID, and the file size.

     If	the -v flag is given more than once, even more details are printed.

     NFS requests are very large and much of the detail	won't be printed un-
     less snaplen is increased.	 Try using "-s 192" to watch NFS traffic.

     NFS reply packets do not explicitly identify the RPC operation.  Instead,
     tcpdump keeps track of "recent" requests, and matches them	to the replies
     using the xid (transaction	ID).  If a reply does not closely follow the
     corresponding request, it might not be parsable.

   IP Fragmentation
     Fragmented	Internet datagrams are printed as

	   (frag id : size @ offset [+])

     A `+' indicates there are more fragments.	The last fragment will have no

     id	is the fragment	ID.  size is the fragment size (in bytes) excluding
     the IP header.  offset is this fragment's offset (in bytes) in the	origi-
     nal datagram.

     The fragment information is output	for each fragment.  The	first fragment
     contains the higher level protocol	header and the fragment	info is
     printed after the protocol	info.  Fragments after the first contain no
     higher level protocol header and the fragment info	is printed after the
     source and	destination addresses.	For example, here is part of an	FTP
     from to over a CSNET connection that doesn't
     appear to handle 576 byte datagrams:

	   arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1	win 4096 (frag 595a:328@0+)
	   arizona > rtsg: (frag 595a:204@328)
	   rtsg.1170 > arizona.ftp-data: . ack 1536 win	2560

     There are a couple	of things to note here:	first, addresses in the	2nd
     line don't	include	port numbers.  This is because the TCP protocol	infor-
     mation is all in the first	fragment and we	have no	idea what the port or
     sequence numbers are when we print	the later fragments.  Second, the TCP
     sequence information in the first line is printed as if there were	308
     bytes of user data	when, in fact, there are 512 bytes (308	in the first
     frag and 204 in the second).  If you are looking for holes	in the se-
     quence space or trying to match up	acks with packets, this	can fool you.

     A packet with the IP don't	fragment flag is marked	with a trailing

     By	default, all output lines are preceded by a timestamp.	The timestamp
     is	the current clock time in the form hh:mm:ss.frac and is	as accurate as
     the kernel's clock.  The timestamp	reflects the time the kernel first saw
     the packet.  No attempt is	made to	account	for the	time lag between when
     the Ethernet interface removed the	packet from the	wire and when the ker-
     nel serviced the "new packet" interrupt.

   IP and Protocol Checksum Offload
     Some network cards	support	IP and/or protocol checksum offload.  Packet
     headers for such interfaces erroneously indicate a	bad checksum, since
     the checksum is not calculated until after	tcpdump	sees the packet.

     ether_aton(3), pcap_open_live(3), bpf(4), ip(4), pf(4), pflog(4), tcp(4),
     udp(4), hosts(5), pcap-filter(5), pf.os(5), protocols(5), services(5)

     Transmission Control Protocol, RFC	793, September 1981.

     P.	Mockapetris, Domain Names - Concepts and Facilities, RFC 1034,
     November 1987.

     P.	Mockapetris, Domain Names - Implementation and Specification, RFC
     1035, November 1987.

     RPC: Remote Procedure Call	Protocol Specification,	RFC 1050, April	1988.

     V.	Jacobson, Compressing TCP/IP Headers for Low-Speed Serial Links, RFC
     1144, February 1990.

     M.	Mathis,	J. Mahdavi, S. Floyd, and A. Romanow, TCP Selective
     Acknowledgement Options, RFC 2018,	October	1996.

     V.	Manral,	Cryptographic Algorithm	Implementation Requirements for
     Encapsulating Security Payload (ESP) and Authentication Header (AH), RFC
     4835, April 2007.

     Van Jacobson <>, Craig Leres	<>, and	Steven
     McCanne <>, all of the Lawrence Berkeley	Laboratory,
     University	of California, Berkeley, CA.

     Some attempt should be made to reassemble IP fragments, or	at least to
     compute the right length for the higher level protocol.

     Name server inverse queries are not dumped	correctly: The (empty) ques-
     tion section is printed rather than the real query	in the answer section.
     Some believe that inverse queries are themselves a	bug and	prefer to fix
     the program generating them rather	than tcpdump.

     A packet trace that crosses a daylight saving time	change will give
     skewed time stamps	(the time change is ignored).

     Filter expressions	that manipulate	FDDI headers assume that all FDDI
     packets are encapsulated Ethernet packets.	 This is true for IP, ARP, and
     DECNET Phase IV, but is not true for protocols such as ISO	CLNS.  There-
     fore, the filter may inadvertently	accept certain packets that do not
     properly match the	filter expression.

FreeBSD	13.0			August 17, 2020			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help