Network - tcpdump

> NetWork

1 - About

tcpdump is :

It prints out a description of the contents of packets on a network interface that match a boolean expression

3 - Management

3.1 - Write

tcpdump can always be interrupted by:

  • a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C)
  • or a SIGTERM signal (typically generated with the kill(1) command)

It will by default run for ever.


  • -w flag to save the output to a packet file
  • -c to specify the number of packet to capture and stop

tcpdump has a log rotate functionality built-in.

Rotate Options:

  • -C file_size is the max file size in millions of bytes (1,000,000 bytes)
  • -G rotate_seconds
  • -W limit the number of files created to the specified number
  • -z postrotate-command - will make tcpdump run postrotate-command file

The first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.


3.2 - Read

  • the -r flag read from a saved packet file rather than to read packets from a network interface.
  • -V flag read a list of saved packet files.

3.3 - Expression

For the expression syntax, see pcap-filter(7)

3.4 - Privileges

Reading packets from a network interface may require that you have special privileges

3.5 - Output

  • a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight.
  • a description

4 - Example

4.1 - Rotate

  • Max 10 file of 100 Mb
tcpdump -C 104.8576  -W 10 -i eth0 -s 0 -w /tmp/tcpdump.infa -Z userName 'host hostname and port 1433' &
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

5 - Documentation / Reference