Knowledge Search


TCPdump on EX Switches

  [KB23313] Show Article Properties

This article provides information for administrators on how to use the TCPdump utility, based on certain filtering, to capture 'control plane' traffic on EX switches.
  • TCPdump is a very powerful command line interface packet sniffer.

  • This utility shows the contents of the packets on network interface, which match the boolean expression. 

  • The output of the TCPdump shows the total number of packets being received by the filter and total number of packets dropped by the kernel, if any.

  • The default packet capture size is 96 bytes.  

tcpdump [-abdeflnNOpqStUvxX] [-c count] [ -F file ]
                [ -i interface ] [ -r file ] [ -s snaplen ]
                [ -T type ] [ -w file ] [ expression ]
                [ -Jt resolve_tmo ]

TCPDUMP syntax:

Syntax Protocol Direction Host (s) Value Logical Operations Other Expressions
Example Tcp Dst 80 And Tcp dst 8888


Values: ether, ip, arp, rarp, decnet, tcp, and udp. If no protocol is specified, all the protocols are used.


Values: src, dst, src and dst, src, or dst. If no source or destination is specified, the src or dst keyword is applied. For example, host is equivalent to src or dst host


Values: net, port, host, and portrange. If no host is specified, the host keyword is used. For example, src is equivalent to src host

Logical Operators:

  • Values: not (!) , and (&&) , or.

  • Negation ("not") has highest precedence.

  • Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.

  • For example, not tcp port 3128 and tcp port 23.

TCPDUMP examples:

  • tcpdump: This provides the output for all the protocols with source or destination.

  • tcpdump -v: This provides the verbose output for all the protocols with source or destination.

  • tcpdump -vv: This provides the detailed output for all the protocols with source or destination.

  • tcpdump -i <interface name>: This will provide the output for specific interface.

  • tcpdump - c <number of packets> (for example, tcpdump –c 20): TCPDUMP will stop after the required number of packets.

  • tcpdump –F <file-name> (for example, tcpdump –F arpcap. Where the arpcap file contains the ARP keyword for capture): This will make tcpdump use the capture parameters from the specified file. You can also define the port number in the file to capture; for example,  port 80.

  • tcpdump udp: This will capture the UDP traffic.

  • tcpdump port http:This will capture traffic for TCP port 80. Use this filter to capture traffic from different ports.

  • tcpdump –w capture.pcap: This will capture the output in a file; instead of directly on the screen. This file can be opened in Wireshark.

  • tcpdump –r capture.log: This will allow the user to read the capture file with tcpdump. You can use Wireshark or any other packet capture to read outputs.

  • tcpdump src and dst and port ftp:This will display the FTP packets, which are coming from source to destination

  • tcpdump src net and dst net and port http: This will display the HTTP packet, which is coming from network to destination

  • tcpdump –s snaplen E.g. tcpdump –s 1500: This will define the length in bytes of the packet to capture. By default, tcpdump only captures the first 96 bytes.

  • tcpdump –T type (for example, tcpdump –T rcp): This will Force packets, which are selected by the expression, to be interpreted as the specified type.

  • tcpdump -Jt <resolve timout> (for example, tcpdump -Jt 2): This will define the address resolution timeout in seconds.

  • tcpdump –e: This will display the Layer 2 headers of the packet.

Related Links: