Tcpdump: Difference between revisions

No edit summary
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
* <tt>-n</tt> to disable (per-packet blocking) DNS lookups
* <tt>-n</tt> to disable (per-packet blocking) DNS lookups
* <tt>-s snaplen</tt> to capture more than the default snapshot length. 0 for no limit.
* <tt>-s snaplen</tt> to capture more than the default snapshot length. 0 for no limit.
* <tt>-e</tt> to show link-layer information
==Recipes==
==Recipes==
* Capture all arp: '''tcpdump arp'''
* Capture all arp: '''tcpdump arp'''
* Capture packets to or from a MAC address M: '''tcpdump "ether host M'''
* Capture packets to or from a MAC address M: '''tcpdump ether host M'''
==Gotchas==
* <tt>tcpdump</tt> will not function on a [[DPDK]] interface once a DPDK application has bound the interface
* A filter matching L4 fields (including [[TCP]]/[[UDP]] port) will not match any fragments save the first. Watch for <tt>[+]</tt> to indicate more fragments.