tcpdump(8) - dump traffic on a network
-A     Print each packet (minus its link level header) in ASCII.  Handy for capturing web pages.
-b     Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.
-B     Set the operating system capture buffer size to buffer_size.
-c     Exit after receiving count packets.
-C     Before  writing  a  raw  packet  to  a  savefile,  check whether the file is currently larger than
       file_size and, if so, close the current savefile and open a new one.  Savefiles  after  the  first
       savefile  will have the name specified with the -w flag, with a number after it, starting at 1 and
       continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes,  not  1,048,576
       bytes).
-d     Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd    Dump packet-matching code as a C program fragment.
-ddd   Dump packet-matching code as decimal numbers (preceded with a count).
-D     Print  the list of the network interfaces available on the system and on which tcpdump can capture
       packets.  For each network interface, a number and an interface name, possibly followed by a  text
       description of the interface, is printed.  The interface name or the number can be supplied to the
       -i flag to specify an interface on which to capture.

       This can be useful on systems that don't have a command to list them (e.g.,  Windows  systems,  or
       UNIX  systems  lacking  ifconfig  -a); the number can be useful on Windows 2000 and later systems,
       where the interface name is a somewhat complex string.

       The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks
       the pcap_findalldevs() function.
-e     Print the link-level header on each dump line.
-E     Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain
       Security Parameter Index value spi. This  combination  may  be  repeated  with  comma  or  newline
       separation.
-f     Print  `foreign'  IPv4  addresses numerically rather than symbolically (this option is intended to
       get around serious brain damage in Sun's NIS server — usually it hangs  forever  translating  non-
       local internet numbers).

       The  test for `foreign' IPv4 addresses is done using the IPv4 address and netmask of the interface
       on which capture is being done.  If that address or netmask are not available,  available,  either
       because  the  interface  on  which  capture is being done has no address or netmask or because the
       capture is being done on the Linux "any" interface, which can capture on more than one  interface,
       this option will not work correctly.
-F     Use  file  as input for the filter expression.  An additional expression given on the command line
       is ignored.
-G     If specified, rotates the dump file specified with the -w  option  every  rotate_seconds  seconds.
       Savefiles  will  have  the  name  specified by -w which should include a time format as defined by
       strftime(3).  If no time format is specified, each new file will overwrite the previous.

       If used in conjunction with the -C option, filenames will take the form of `file<count>'.
-h     Print the tcpdump and libpcap version strings, print a usage message, and exit.
-H     Attempt to detect 802.11s draft mesh headers.
-i     Listen on interface.  If unspecified, tcpdump searches the system interface list  for  the  lowest
       numbered,  configured up interface (excluding loopback).  Ties are broken by choosing the earliest
       match.

       On Linux systems with 2.2 or later kernels, an interface  argument  of  ``any''  can  be  used  to
       capture packets from all interfaces.  Note that captures on the ``any'' device will not be done in
       promiscuous mode.

       If the -D flag is supported, an interface number as printed by  that  flag  can  be  used  as  the
       interface argument.
-I     Put  the  interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and
       supported only on some operating systems.

       Note that in monitor mode the  adapter  might  disassociate  from  the  network  with  which  it's
       associated,  so  that  you  will not be able to use any wireless networks with that adapter.  This
       could prevent accessing files on a network server, or resolving host names or  network  addresses,
       if  you  are  capturing  in  monitor  mode  and  are not connected to another network with another
       adapter.

       This flag will affect the output of the -L flag.  If -I isn't  specified,  only  those  link-layer
       types  available when not in monitor mode will be shown; if -I is specified, only those link-layer
       types available when in monitor mode will be shown.
-j     Set the time stamp type for the capture to tstamp_type.  The names to use for the time stamp types
       are given in pcap-tstamp-type(7); not all the types listed there will necessarily be valid for any
       given interface.
-J     List the supported time stamp types for the interface and exit.  If the time stamp type cannot  be
       set for the interface, no time stamp types are listed.
-K     Don't  attempt  to  verify  IP, TCP, or UDP checksums.  This is useful for interfaces that perform
       some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums  will
       be flagged as bad.
-l     Make stdout line buffered.  Useful if you want to see the data while capturing it.  E.g.,
       ``tcpdump  -l  |  tee dat'' or ``tcpdump  -l   > dat  &  tail  -f  dat''.
-L     List  the  known  data link types for the interface, in the specified mode, and exit.  The list of
       known data link types may be dependent on the specified mode; for example, on  some  platforms,  a
       Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it
       might support only fake Ethernet headers, or might support 802.11 headers but not  support  802.11
       headers  with  radio  information)  and  another  set of data link types when in monitor mode (for
       example, it might support 802.11 headers, or  802.11  headers  with  radio  information,  only  in
       monitor mode).
-m     Load  SMI  MIB module definitions from file module.  This option can be used several times to load
       several MIB modules into tcpdump.
-M     Use secret as a shared secret for validating the digests found in TCP segments  with  the  TCP-MD5
       option (RFC 2385), if present.
-n     Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-N     Don't  print  domain  name  qualification of host names.  E.g., if you give this flag then tcpdump
       will print ``nic'' instead of ``nic.ddn.mil''.
-O     Do not run the packet-matching code optimizer.  This is useful only if you suspect a  bug  in  the
       optimizer.
-p     Don't  put  the  interface into promiscuous mode.  Note that the interface might be in promiscuous
       mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host  {local-
       hw-addr} or ether broadcast'.
-q     Quick (quiet?) output.  Print less protocol information so output lines are shorter.
-R     Assume  ESP/AH  packets  to  be  based  on  old specification (RFC1825 to RFC1829).  If specified,
       tcpdump will not print replay prevention field.  Since there  is  no  protocol  version  field  in
       ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.
-r     Read  packets from file (which was created with the -w option).  Standard input is used if file is
       ``-''.
-S     Print absolute, rather than relative, TCP sequence numbers.
-s     Snarf snaplen bytes of data from each packet rather than the  default  of  65535  bytes.   Packets
       truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto
       is the name of the protocol level at which the truncation has occurred.  Note that  taking  larger
       snapshots  both  increases  the  amount  of  time  it  takes  to process packets and, effectively,
       decreases the amount of packet buffering.  This may cause packets to be lost.   You  should  limit
       snaplen  to  the  smallest number that will capture the protocol information you're interested in.
       Setting snaplen to 0 sets it to the default of 65535,  for  backwards  compatibility  with  recent
       older versions of tcpdump.
-T     Force  packets  selected  by  "expression"  to be interpreted the specified type.  Currently known
       types are aodv (Ad-hoc On-demand Distance Vector protocol), cnfp  (Cisco  NetFlow  protocol),  rpc
       (Remote  Procedure  Call),  rtp  (Real-Time  Applications  protocol), rtcp (Real-Time Applications
       control protocol),  snmp  (Simple  Network  Management  Protocol),  tftp  (Trivial  File  Transfer
       Protocol), vat (Visual Audio Tool), and wb (distributed White Board).
-t     Don't print a timestamp on each dump line.
-tt    Print an unformatted timestamp on each dump line.
-ttt   Print a delta (micro-second resolution) between current and previous line on each dump line.
-tttt  Print a timestamp in default format proceeded by date on each dump line.

-ttttt Print a delta (micro-second resolution) between current and first line on each dump line.
-u     Print undecoded NFS handles.
-U     Make output saved via the -w option ``packet-buffered''; i.e., as each packet is saved, it will be
       written to the output file, rather than being written only when the output buffer fills.

       The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks
       the pcap_dump_flush() function.
-v     When parsing and printing, produce (slightly more) verbose output.  For example, the time to live,
       identification, total length and options in an IP packet are  printed.   Also  enables  additional
       packet integrity checks such as verifying the IP and ICMP header checksum.

       When  writing  to  a  file  with  the  -w  option, report, every 10 seconds, the number of packets
       captured.
-vv    Even more verbose output.  For example, additional fields are printed from NFS reply packets,  and
       SMB packets are fully decoded.
-vvv   Even  more  verbose  output.   For example, telnet SB ... SE options are printed in full.  With -X
       Telnet options are printed in hex as well.
-w     Write the raw packets to file rather than parsing and  printing  them  out.   They  can  later  be
       printed with the -r option.  Standard output is used if file is ``-''.  See pcap-savefile(5) for a
       description of the file format.
-W     Used in conjunction with the -C option, this will  limit  the  number  of  files  created  to  the
       specified  number,  and  begin  overwriting  files  from the beginning, thus creating a 'rotating'
       buffer.  In addition, it will name the files with enough leading 0s to support the maximum  number
       of files, allowing them to sort correctly.

       Used  in conjunction with the -G option, this will limit the number of rotated dump files that get
       created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will
       result in cyclical files per timeslice.
-x     When  parsing  and printing, in addition to printing the headers of each packet, print the data of
       each packet (minus its link level header) in hex.  The smaller of the  entire  packet  or  snaplen
       bytes  will  be  printed.  Note that this is the entire link-layer packet, so for link layers that
       pad (e.g. Ethernet), the padding bytes will also be  printed  when  the  higher  layer  packet  is
       shorter than the required padding.
-xx    When  parsing  and printing, in addition to printing the headers of each packet, print the data of
       each packet, including its link level header, in hex.
-X     When parsing and printing, in addition to printing the headers of each packet, print the  data  of
       each  packet (minus its link level header) in hex and ASCII.  This is very handy for analysing new
       protocols.
-XX    When parsing and printing, in addition to printing the headers of each packet, print the  data  of
       each packet, including its link level header, in hex and ASCII.
-y     Set the data link type to use while capturing packets to datalinktype.
-z     Used  in  conjunction with the -C or -G options, this will make tcpdump run " command file " where
       file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2
       will compress each savefile using gzip or bzip2.

       Note  that  tcpdump  will run the command in parallel to the capture, using the lowest priority so
       that this doesn't disturb the capture process.

       And in case you would like to use a command that itself takes flags or  different  arguments,  you
       can  always  write  a shell script that will take the savefile name as the only argument, make the
       flags & arguments arrangements and execute the command that you want.
-Z     If tcpdump is running as root, after opening the capture device  or  input  savefile,  but  before
       opening any savefiles for output, change the user ID to user and the group ID to the primary group
       of user.