The format of tcpdump command

Tcpdump‘s format is like following: 

  1. # tcpdump [options] [expression]

Tcpdump only captures packets whose content satisfy expression (the format of expression is defined here). E.g., dump all HTTP protocol packets: 

  1. # tcpdump port 80
  2. 14:59:05.989545 IP 192.168.35.211.53160 > 172.217.194.138.http: Flags [S], seq 3145761683, win 29200, options [mss 1460,sackOK,TS val 4055365378 ecr 0,nop,wscale 7], length 0
  3. 14:59:05.994196 IP 172.217.194.138.http > 192.168.35.211.53160: Flags [S.], seq 1475154793, ack 3145761684, win 62392, options [mss 1430,sackOK,TS val 3581048241 ecr 4055365378,nop,wscale 8], length 0
  4. 14:59:05.994235 IP 192.168.35.211.53160 > 172.217.194.138.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4055365383 ecr 3581048241], length 0
  5. ......
  6. ^C
  7. 32 packets captured
  8. 36 packets received by filter
  9. 4 packets dropped by kernel

For every packet, the format is timestamp since midnight followed by packet information. In previous example, the first packet is an IP protocol message: protocol, source address, destination address and TCP SYN parameters: 

  1. ......
  2. 14:59:05.989545 IP 192.168.35.211.53160 > 172.217.194.138.http: Flags [S], seq 3145761683, win 29200, options [mss 1460,sackOK,TS val 4055365378 ecr 0,nop,wscale 7], length 0
  3. ......

After inputting “Ctrl+C“ to terminate the tcpdump process, it also showed statistics of packets: 

  1. ......
  2. 32 packets captured
  3. 36 packets received by filter
  4. 4 packets dropped by kernel

This info is printed by info function: 

  1. static void
  2. info(int verbose)
  3. {
  4.     struct pcap_stat stats;
  6.     /*
  7.      * Older versions of libpcap didn't set ps_ifdrop on some
  8.      * platforms; initialize it to 0 to handle that.
  9.      */
  10.     stats.ps_ifdrop = 0;
  11.     if (pcap_stats(pd, &stats) < 0) {
  12.         (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd));
  13.         infoprint = 0;
  14.         return;
  15.     }
  17.     if (!verbose)
  18.         fprintf(stderr, "%s: ", program_name);
  20.     (void)fprintf(stderr, "%u packet%s captured", packets_captured,
  21.         PLURAL_SUFFIX(packets_captured));
  22.     if (!verbose)
  23.         fputs(", ", stderr);
  24.     else
  25.         putc('\n', stderr);
  26.     (void)fprintf(stderr, "%u packet%s received by filter", stats.ps_recv,
  27.         PLURAL_SUFFIX(stats.ps_recv));
  28.     if (!verbose)
  29.         fputs(", ", stderr);
  30.     else
  31.         putc('\n', stderr);
  32.     (void)fprintf(stderr, "%u packet%s dropped by kernel", stats.ps_drop,
  33.         PLURAL_SUFFIX(stats.ps_drop));
  34.     if (stats.ps_ifdrop != 0) {
  35.         if (!verbose)
  36.             fputs(", ", stderr);
  37.         else
  38.             putc('\n', stderr);
  39.         (void)fprintf(stderr, "%u packet%s dropped by interface\n",
  40.             stats.ps_ifdrop, PLURAL_SUFFIX(stats.ps_ifdrop));
  41.     } else
  42.         putc('\n', stderr);
  43.     infoprint = 0;
  44. }

“packets captured” records the packets received and processed by tcpdump. There are also “packets received by filter”, “packets dropped by kernel” and “packets dropped by interface” statistics. These items are fetched through pcap_stats API and depend on the underlying Operating System, so I would not elaborate them here.