ubuntu:~$ sudo tcpdump -help
tcpdump version 4.1.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -M secret ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
[ -y datalinktype ] [ -z command ] [ -Z user ]
[ expression ]
[-nn don’t convert protocols and ports to name (no name)]
This would capture all port 514 traffic.
ubuntu:~$ sudo tcpdump -nn port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
This would capture port 80 traffic on eth0
ubuntu:~$ sudo tcpdump -nn -i eth0 port 80
This would capture all traffic except destination port 514.
ubuntu:~$ sudo tcpdump -nn not dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Use ifconfig to choose interface.
ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:46:21:8D:63
inet addr:10.11.11.10 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fec0:abc:abc:10:20c:39ff:fe36:5c31/64 Scope:Site
inet6 addr: fe80::20c:29ff:fe56:5c51/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18490879 errors:0 dropped:0 overruns:0 frame:0
TX packets:64215 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2942908215 (2.9 GB) TX bytes:4558941 (4.5 MB)
Interrupt:19 Base address:0×2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 B) TX bytes:480 (480.0 B)