Check out my first novel, midnight's simulacra!

Tcpdump

From dankwiki
Revision as of 07:52, 8 January 2021 by Dank (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Important flags

  • -n to disable (per-packet blocking) DNS lookups
  • -s snaplen to capture more than the default snapshot length. 0 for no limit.
  • -e to show link-layer information

Recipes

  • Capture all arp: tcpdump arp
  • Capture packets to or from a MAC address M: tcpdump ether host M

Gotchas

  • tcpdump will not function on a DPDK interface once a DPDK application has bound the interface
  • A filter matching L4 fields (including TCP/UDP port) will not match any fragments save the first. Watch for [+] to indicate more fragments.