Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCPdump on EX Switches



Article ID: KB23313 KB Last Updated: 06 Aug 2020Version: 2.0

This article provides information for administrators on how to use the TCPdump utility, based on certain filtering, to capture 'control plane' traffic on EX switches.

  • TCPdump is a very powerful command line interface packet sniffer.
  • This utility shows the contents of the packets on network interface, which match the boolean expression. 
  • The output of the TCPdump shows the total number of packets being received by the filter and total number of packets dropped by the kernel, if any.
  • The default packet capture size is 96 bytes.  


tcpdump [-abdeflnNOpqStUvxX] [-c count] [ -F file ]
                [ -i interface ] [ -r file ] [ -s snaplen ]
                [ -T type ] [ -w file ] [ expression ]
                [ -Jt resolve_tmo ]

TCPDUMP syntax:

Syntax Protocol Direction Host (s) Value Logical Operations Other Expressions
Example Tcp Dst 80 And Tcp dst 8888


Values: ether, ip, arp, rarp, decnet, tcp, and udp. If no protocol is specified, all the protocols are used.


Values: src, dst, src and dst, src, or dst. If no source or destination is specified, the src or dst keyword is applied. For example, host is equivalent to src or dst host


Values: net, port, host, and portrange. If no host is specified, the host keyword is used. For example, src is equivalent to src host

Logical Operators:
  • Values: not (!) , and (&&) , or.
  • Negation ("not") has highest precedence.
  • Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
  • For example, not tcp port 3128 and tcp port 23.

TCPDUMP examples:

tcpdump: This provides the output for all the protocols with source or destination.
  • tcpdump -v: This provides the verbose output for all the protocols with source or destination.
  • tcpdump -vv: This provides the detailed output for all the protocols with source or destination.
  • tcpdump -i <interface name>: This will provide the output for specific interface.
  • tcpdump - c <number of packets> (for example, tcpdump –c 20): TCPDUMP will stop after the required number of packets.
  • tcpdump –F <file-name> (for example, tcpdump –F arpcap. Where the arpcap file contains the ARP keyword for capture): This will make tcpdump use the capture parameters from the specified file. You can also define the port number in the file to capture; for example,  port 80.
  • tcpdump udp: This will capture the UDP traffic.
  • tcpdump port http:This will capture traffic for TCP port 80. Use this filter to capture traffic from different ports.
  • tcpdump –w capture.pcap: This will capture the output in a file; instead of directly on the screen. This file can be opened in Wireshark.
  • tcpdump –r capture.log: This will allow the user to read the capture file with tcpdump. You can use Wireshark or any other packet capture to read outputs.
  • tcpdump src and dst and port ftp:This will display the FTP packets, which are coming from source to destination
  • tcpdump src net and dst net and port http: This will display the HTTP packet, which is coming from network to destination
  • tcpdump –s snaplen E.g. tcpdump –s 1500: This will define the length in bytes of the packet to capture. By default, tcpdump only captures the first 96 bytes.
  • tcpdump –T type (for example, tcpdump –T rcp): This will Force packets, which are selected by the expression, to be interpreted as the specified type.
  • tcpdump -Jt <resolve timout> (for example, tcpdump -Jt 2): This will define the address resolution timeout in seconds.
  • tcpdump –e: This will display the Layer 2 headers of the packet.
Modification History:
2020-08-06: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search