Specify network interfaces

-D/--list-interfaces“ option is used to show available network interfaces: 

  1. # tcpdump -D
  2. 1.enp0s3 [Up, Running]
  3. 2.lo [Up, Running, Loopback]
  4. 3.any (Pseudo-device that captures on all interfaces) [Up, Running]
  5. 4.nflog (Linux netfilter log (NFLOG) interface) [none]
  6. 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

-i/--interface“ option is used to specify the listening interface. If not specified, interface with the lowest index excluding loopback is picked (i.e., enp0s3). If the traffic through all interfaces need to captured, “any“ should be the name of interface: 

  1. # tcpdump -i any
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
  4. ......
  5. 17:08:43.333868 IP 192.168.35.211.ssh > 10.217.133.165.49880: Flags [P.], seq 54874791:54874899, ack 1667749708, win 317
  6. , length 108
  7. 17:08:43.333962 IP 192.168.35.211.ssh > 10.217.133.165.49880: Flags [P.], seq 108:144, ack 1, win 317, length 36
  8. 17:08:43.334044 IP 192.168.35.211.ssh > 10.217.133.165.49880: Flags [P.], seq 144:260, ack 1, win 317, length 116
  9. 17:08:43.334125 IP 192.168.35.211.ssh > 10.217.133.165.49880: Flags [P.], seq 260:296, ack 1, win 317, length 36

Or use index instead: 

  1. # tcpdump -i 3