Skip to main content

6 advanced tcpdump formatting options

The final article in this three-part tcpdump series covers six more tcpdump packet capturing trick options.
Image
6 advanced tcpdump options
Image by InspiredImages from Pixabay

This article is the final part of my three-part series covering 18 different tcpdump tips and tricks where I continue to demonstrate features that help you filter and organize the information returned by tcpdump. I recommend reading parts one and two before continuing with the content below.

[ You might also enjoy: An introduction to Wireshark ]

13. TCP flags-based filters

It is possible to filter TCP traffic based on various tcp flags. Here’s an example that is filtering based on tcp-ack flag.

# tcpdump -i any  "tcp[tcpflags] & tcp-ack !=0" -c3
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:01:26.064889 wlp0s20f3 In  IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 1819770188:1819770212, ack 92255846, win 530, options [nop,nop,TS val 2380606750 ecr 2653646722], length 24
21:01:26.065072 wlp0s20f3 Out IP kkulkarni.attlocal.net.37834 > ec2-54-227-95-54.compute-1.amazonaws.com.https: Flags [P.], seq 1:29, ack 24, win 501, options [nop,nop,TS val 2653656956 ecr 2380606750], length 28
21:01:26.066067 wlp0s20f3 In  IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 0:24, ack 1, win 530, options [nop,nop,TS val 2380607026 ecr 2653646722], length 24
3 packets captured
5 packets received by filter
0 packets dropped by kernel

14. Formatting

The tcpdump can also adjust output formats by using -X for hex or -A for ASCII.

# tcpdump -i any -c4 -X
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:17.917658 wlp0s20f3 In  IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493377705:493378516, ack 1627250260, win 14, options [nop,nop,TS val 885998040 ecr 2038075821], length 811
    0x0000:  456c 035f c3f4 4000 2f06 2a23 12d3 8541  El._..@./.*#...A
    0x0010:  c0a8 0159 01bb 8f44 1d68 58a9 60fd de54  ...Y...D.hX.`..T
    0x0020:  8018 000e d2f8 0000 0101 080a 34cf 41d8  ............4.A.
    0x0030:  797a 91ad 1703 0303 2609 56db 0bfc cdbf  yz......&.V.....
    0x0040:  2ab1 86eb 197c 2a34 f20f 58fa 9318 156e  *....|*4..X....n
    0x0050:  2719 ba42 b498 b32c c9c3 69e1 7de3 6070  '..B...,..i.}.`p
    0x0060:  a785 80f5 adee a501 6374 e5f9 61c3 2b6e  ........ct..a.+n
    0x0070:  edde e3ff 2abe 0198 226a 6729 f325 8f4a  ....*..."jg).%.J
    0x0080:  af0b d865 e44a e941 b03e fda7 501c 3de7  ...e.J.A.>..P.=.
    0x0090:  28d9 58f9 be3f 9cd8 64aa 8701 f45b a280  (.X..?..d....[..
    0x00a0:  9f19 ed22 9646 2f19 9f49 226a d55e 33bf  ...".F/..I"j.^3.
    0x00b0:  ed13 e2cb ef26 bc37 f4d8 0a6e 7534 e278  .....&.7...nu4.x
    0x00c0:  e6b6 60b1 1abe 6457 efc6 eaf3 03ad 3b50  ..`...dW......;P
    0x00d0:  e98f 2751 2680 f3c6 c562 3b81 437b be3d  ..'Q&....b;.C{.=
    0x00e0:  9e36 0a8f 3cf2 3b5e 4569 7e4c 7c94 844c  .6..<.;^Ei~L|..L
    0x00f0:  5925 614e b8b1 a79e 0abb 9818 ff29 1b08  Y%aN.........)..
    0x0100:  5e43 83fc 0049 5a08 a085 aec5 09fb 3277  ^C...IZ.......2w
    0x0110:  c971 db88 4fc4 0d27 b418 1dfe 946e 3c83  .q..O..'.....n<.
    0x0120:  d6f6 4ff1 9e7e 5c86 b4e6 e0e5 dd82 8827  ..O..~\........'
    0x0130:  6ba6 46d1 2374 a1af 412a 1687 24cc 0c04  k.F.#t..A*..$...
    0x0140:  2179 5293 67f4 14f0 b502 935a 86e5 f8bc  !yR.g......Z....
    0x0150:  83be e285 941e 0bec d022 5cdb 2cc2 db13  ........."\.,...
    0x0160:  a186 8ce0 300e 6893 a0f1 4906 7b67 7848  ....0.h...I.{gxH
    0x0170:  cc28 286d 5ceb c468 17f1 4ed4 7a4e e88a  .((m\..h..N.zN..
    0x0180:  e71a 95b2 15c2 7a76 94da 1568 239e 5078  ......zv...h#.Px
    0x0190:  d264 8b40 d2d3 ba9a 6818 9871 8875 3ad0  .d.@....h..q.u:.
    0x01a0:  abac f776 0a22 b788 4acf 81ac 72d2 146c  ...v."..J...r..l
    0x01b0:  2c12 bc52 de57 fa96 66d5 c6cd f9b6 c428  ,..R.W..f......(
    0x01c0:  f7c8 f3ad 5b06 7da5 b7cf 15a7 7ac4 9760  ....[.}.....z..`
    0x01d0:  0e70 cf36 e4ed d3b3 0e18 3046 5e9f 1dee  .p.6......0F^...
    0x01e0:  6277 c53b e38d ecf0 db89 7d19 32f2 1bed  bw.;......}.2...
    0x01f0:  6bb3 0ab5 0cb6 6b77 a40e 7bf5 5de3 7d4b  k.....kw..{.].}K
    0x0200:  0b96 474d 66f4 9589 39a4 d2ff 6c08 36aa  ..GMf...9...l.6.
    0x0210:  3fe9 89f5 6603 9f61 16ce 8cb9 e9c6 8d67  ?...f..a.......g
    0x0220:  0b22 5ebc 39f3 50c2 cd70 08c3 01c6 2feb  ."^.9.P..p..../.
    0x0230:  dbdc ba44 e091 8a8d e5b2 82c7 23ad c496  ...D........#...
    0x0240:  7199 f3d1 34bf cff3 e51a 1d12 83ad 46ff  q...4.........F.
    0x0250:  e93c 0975 729e ed82 3461 73dc c2ca abc1  .<.ur...4as.....
    0x0260:  3e88 260d 1129 1777 2d0c 1a76 5234 123b  >.&..).w-..vR4.;
    0x0270:  cef3 ef26 b12d 1eeb 82c2 554f 2112 18e9  ...&.-....UO!...
    0x0280:  ff14 a65d f7ae 2e53 8c9b 909c 9d32 4fab  ...]...S.....2O.
    0x0290:  2fc1 9154 ea1e 2318 06da 0f8e 07f0 555e  /..T..#.......U^
    0x02a0:  686b 9396 bfed 6771 d813 d32f f1ad 690e  hk....gq.../..i.
    0x02b0:  22b6 ea49 df3f 68ee a78b bdc5 bcca c6ac  "..I.?h.........
    0x02c0:  9c01 90fd 9c74 1a46 8981 dfe3 1492 9a2e  .....t.F........
    0x02d0:  67bc b4c2 f65f 0422 4f9c 1fad 86d3 1a4d  g...._."O......M
    0x02e0:  c282 e510 88f9 dda8 9c0c c2c9 c114 59ab  ..............Y.
    0x02f0:  92a9 9f22 6cd8 0176 fd2b 7ce6 57ed 6849  ..."l..v.+|.W.hI
    0x0300:  7214 c31a 49c1 46fe c980 01db 0fcb 5ddf  r...I.F.......].
    0x0310:  a8d6 0b4f ea6a 6fa3 d359 04fb bcfa 7fde  ...O.jo..Y......
    0x0320:  6c6e 920a f40a fc41 7890 97af 2b5a 516c  ln.....Ax...+ZQl
    0x0330:  7b9f 3dbd 17ed a472 0d87 9897 9570 0a49  {.=....r.....p.I
    0x0340:  84d6 b180 1c23 39f0 610b d6a8 a0ef 5e5c  .....#9.a.....^\
    0x0350:  fa24 d1ef 6343 4d8a 1242 3a9a b25e b3    .$..cCM..B:..^.
21:03:17.917688 wlp0s20f3 Out IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 811, win 2033, options [nop,nop,TS val 2038075901 ecr 885998040], length 0
    0x0000:  4500 0034 eba9 4000 4006 f504 c0a8 0159  E..4..@.@......Y
    0x0010:  12d3 8541 8f44 01bb 60fd de54 1d68 5bd4  ...A.D..`..T.h[.
    0x0020:  8010 07f1 5a3c 0000 0101 080a 797a 91fd  ....Z<......yz..
    0x0030:  34cf 41d8                                4.A.
21:03:17.948052 wlp0s20f3 In  IP ovpn-rdu2.redhat.com.https > kkulkarni.attlocal.net.49254: UDP, length 76
    0x0000:  4500 0068 68eb 4000 3211 f29c 42bb e840  E..hh.@.2...B..@
    0x0010:  c0a8 0159 01bb c066 0054 36c8 4800 06ee  ...Y...f.T6.H...
    0x0020:  0032 9be8 f4aa ee8b 7e67 daa5 f3d2 a602  .2......~g......
    0x0030:  67d0 8ca8 8c61 f4b2 12b2 47cd 6e96 661d  g....a....G.n.f.
    0x0040:  57f1 59be bdfc a1a6 a589 cde5 f027 d6b0  W.Y..........'..
    0x0050:  1b57 72f9 348c 7735 03ca 8eb3 1dcd 8ef1  .Wr.4.w5........
    0x0060:  c8bd aec5 8442 f2cb                      .....B..
21:03:17.948133 tun0  In  IP 10.0.115.119.https > kkulkarni.33082: Flags [.], ack 4094910727, win 400, options [nop,nop,TS val 3391720680 ecr 1350874080], length 0
    0x0000:  4500 0034 6b11 4000 3606 db5f 0a00 7377  E..4k.@.6.._..sw
    0x0010:  0a0a 76d2 01bb 813a c602 1989 f413 6107  ..v....:......a.
    0x0020:  8010 0190 63c6 0000 0101 080a ca29 8ce8  ....c........)..
    0x0030:  5084 b3e0                                P...
4 packets captured
328 packets received by filter
0 packets dropped by kernel

With the -A option, ASCII is displayed.

# tcpdump -i any -c4 -A
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:21.363917 wlp0s20f3 Out IP6 kkulkarni > ff02::1:ff0e:bfb6: ICMP6, neighbor solicitation, who has kkulkarni, length 32
`.... :.........Q{AZq..w.................................r.pm.....`.b...
21:03:21.363953 lo    In  IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [S], seq 3428690149, win 65476, options [mss 65476,sackOK,TS val 1750938785 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
`....,...........r.pm............r.pm....X...].....................
h]4........."...
21:03:21.363972 lo    In  IP6 kkulkarni.hostmon > kkulkarni.45656: Flags [S.], seq 3072789718, ack 3428690150, win 65464, options [mss 65476,sackOK,TS val 1750938785 ecr 1750938785,nop,wscale 7], length 0
`....(...........r.pm............r.pm......X.'...].................
h]4.h]4.....
21:03:21.363988 lo    In  IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [.], ack 1, win 512, options [nop,nop,TS val 1750938785 ecr 1750938785], length 0
`.... ...........r.pm............r.pm....X...]...'.......w.....
h]4.h]4.
4 packets captured
173 packets received by filter
0 packets dropped by kernel

15. Options for extra verbosity

With some Linux programs, it's sometimes useful to have more verbose output. tcpdump uses -v, -vv, or -vvv to provide different levels of verbosity. See below for examples with no verbosity to three levels of verbosity.

Default verbosity:

# tcpdump -i any -c1
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:00.903186 lo    In  IP kkulkarni.39876 > kkulkarni.hostmon: Flags [S], seq 1718143023, win 65495, options [mss 65495,sackOK,TS val 1879208671 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
1 packet captured
100 packets received by filter
0 packets dropped by kernel

Using the -v option:

# tcpdump -i any -c1 -v
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:04.209638 lo    In  IP6 (flowlabel 0xd17f0, hlim 1, next-header TCP (6) payload length: 44) kkulkarni.33022 > kkulkarni.hostmon: Flags [S], cksum 0x0d5b (incorrect -> 0x6c92), seq 2003870985, win 65476, options [mss 65476,sackOK,TS val 3266653263 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
1 packet captured
20 packets received by filter
0 packets dropped by kernel

Here is the -vv option:

# tcpdump -i any -c1 -vv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:05.916423 tun0  Out IP (tos 0x0, ttl 64, id 22069, offset 0, flags [DF], proto TCP (6), length 1360)
    kkulkarni.37152 > 10.0.115.119.https: Flags [.], cksum 0xe218 (correct), seq 168413028:168414336, ack 944490821, win 502, options [nop,nop,TS val 1351042119 ecr 3391883323], length 1308
1 packet captured
235 packets received by filter
0 packets dropped by kernel

Finally, display the highest level of detail with the -vvv option:

# tcpdump -i any -c1 -vvv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:08.076276 wlp0s20f3 B   ifindex 3 cc:ab:2c:60:a4:a8 (oui Unknown) ethertype Unknown (0x7373), length 127:
    0x0000:  1211 0000 0043 d3ea bdb4 5baf 9b3e 309c  .....C....[..>0.
    0x0010:  f09c 490e b239 17dc be94 cffa 6e3e 5756  ..I..9......n>WV
    0x0020:  9c35 702f fe49 0000 0201 8003 06cc ab2c  .5p/.I.........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 087f 8d75 d5a4 8508 b3              .....u.....
1 packet captured
5 packets received by filter
0 packets dropped by kernel

16. Filter by protocol

You can use protocol names to filter packets for a particular protocol.

In this example, the command filters by UDP:

# tcpdump udp -i wlp0s20f3 -c2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:01.108588 IP kkulkarni.attlocal.net.49254 > ovpn-rdu2.redhat.com.https: UDP, length 108
21:10:01.178840 IP kkulkarni.attlocal.net.55267 > dsldevice.attlocal.net.domain: 55685+ PTR? 89.1.168.192.in-addr.arpa. (43)
2 packets captured
9 packets received by filter
0 packets dropped by kernel

In this case, the filter displays TCP data:

# tcpdump tcp -i wlp0s20f3 -c2

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:05.614912 IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493594593:493594680, ack 1627254976, win 16, options [nop,nop,TS val 886099951 ecr 2038478733], length 87
21:10:05.615050 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 87, win 2033, options [nop,nop,TS val 2038483598 ecr 886099951], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

17. Low verbosity output

If you want the opposite of verbosity, use -q to provide quieter output (low verbosity).

# tcpdump tcp -i wlp0s20f3 -c2 -q

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:54.022506 IP kkulkarni.attlocal.net.37762 > whatsapp-cdn-shv-02-atl3.fbcdn.net.https: tcp 39
21:10:54.070360 IP whatsapp-cdn-shv-02-atl3.fbcdn.net.https > kkulkarni.attlocal.net.37762: tcp 39
2 packets captured
3 packets received by filter
0 packets dropped by kernel

18. Timestamp options

Some of the common options to print timestamps is to use:

Remove timestamps

The -t option removes timestamps.

# tcpdump tcp -i wlp0s20f3 -c2 -t  

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 1609781320:1609781672, ack 1533085267, win 2318, options [nop,nop,TS val 1144363923 ecr 1220239837], length 352
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 352:530, ack 1, win 2318, options [nop,nop,TS val 1144363924 ecr 1220239837], length 178
2 packets captured
4 packets received by filter
0 packets dropped by kernel

Difference in the consecutive packets

The -ttt option shows the differences among packets. This information is used to see spikes/slow down in the packets.

# tcpdump tcp -i wlp0s20f3 -c2 -ttt

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 1627256885:1627256944, ack 493640277, win 2033, options [nop,nop,TS val 2038675951 ecr 886146249], length 59
 00:00:00.002185 IP kkulkarni.attlocal.net.36686 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 158675267:158675326, ack 3869427473, win 501, options [nop,nop,TS val 2038675953 ecr 242652703], length 59
2 packets captured
8 packets received by filter
0 packets dropped by kernel

[ Network getting out of control? Check out Network automation for everyone, a free book from Red Hat. ] 

Wrap up

Here in part three, you looked at filtering flags and other tcpdump features. One of the most useful topics covered is verbosity, which allows you to control the level of output from the tcpdump command. This is the final article in the series, so be sure you have read parts one and two.

Series conclusion

There are many ways to use tcpdump. In this three-part article series, you saw 18 different tips and tricks that will make your network packet captures more useful. You can use each of the options and keywords independently or together to achieve complex filtering logic. The tcpdump command has a lot to offer you for troubleshooting and network traffic exploration and this, belive it or not, is only a portion of it. I encourage you to explore it further. Use those man pages. And don't worry, you can't hurt anything using tcpdump.

Author’s photo

Kedar Vijay Kulkarni

Kedar is a Senior Software Engineer at Red Hat working with Red Hat OpenShift Networking focusing on functionality, performance, and scaling of Software Defined Networking, primarily with Open Virtual Network Kubernetes (OVN-K8s) plugin. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.