TCPDUMP expressions

TCPDUMP expressions are also known as BPF, or Berkeley Packet Filters. On a TCPDUMP command line it is recommended to place them inside single quotes (UNIX) or double quotes (Windows) to avoid confusion and possible parsing errors.


tcpdump host profl
dumps all packets to or from host profl
tcpdump ether host 11:22:33:44:55:66
dumps all packets to or from that MAC address
tcpdump net
dumps all packets to or from a network, specified using CIDR notation
tcpdump net mask
dumps all packets to or from a network, specified using a mask
tcpdump tcp src port 53
dumps all packets with source port 22/tcp
tcpdump host {thisIP}
Show only IP traffic to or from thisIP
tcpdump host {thisIP} && host {thatIP}
Show only IP traffic between thisIP and thatIP
tcpdump !(host {myIP}) && {remainder of expression}
Ignore traffic from myIP (necessary if you're running TCPDUMP on a remote machine to stop it from capturing the terminal session with your machine)


Show only echo reply
tcp[13] & 3 != 0
tcp[tcpflags] & (tcp-syn | tcp-fin) != 0
show only SYN or FIN packets
tcp[13] & 0x12 != 0
tcp[tcpflags] & (tcp-syn & tcp-ack) != 0
show only SYN/ACK packets
tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst) != 0
show SYN, FIN, and RST packets
ip[2,2] > 576
show only packets longer than 576 bytes
icmp[0] = 3 and icmp[1] = 4
Show ICMP type 3, code 4 (Needs fragmenting but DF bit set)
ip[6] & 0x40 = 0x40
Show only IP packets with DF bit set
vlan && ip
Show only IEEE 802.1q IP packets. Changes the decoding offsets for the remainder of the expression, as if the VLAN header had been stripped away.
vlan 186 && ip
Show only IP packets in IEEE 802.1q VLAN number 186.


ip proto 50
Show only ESP packets (IP protocol 50)
ip proto 112
show only VRRP packets (IP protocol 112)
proto vrrp
all VRRP packets (works on IPSO)