how to make tcpdump to display ip and port number but not hostname and protocol
Solution 1
Add -n
to your tcpdump
command line.
From the tcpdump manpage:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
It should also be noted that on Fedora (and perhaps other derivatives: RHEL, CentOS, etc.) they have patched the original tcpdump version to include a separate option -nn
to remove port numbers. From the manpage:
-n Don't convert host addresses to names. This can be used to
avoid DNS lookups.
-nn Don't convert protocol and port numbers etc. to names either.
Solution 2
I use -nn
parameter.
-nn
: Don’t resolve hostnames or port names.
Run it as:
tcpdump -nn
Solution 3
-n
works only for hostnames, but doesn't work for port numbers. -nn
does the trick for both. This is running tcpdump version 4.5.1 on Fedora 20 gnu/linux. Downvoted answer of @ATMc is the only correct. I sadly can neither upvote it nor write a comment below it because of low karma.
Solution 4
I think the best approach is:
sudo tcpdump -ni any
Steps to test:
Open a console and type:
sudo nc -l -p 6666
Open another console and type:
sudo tcpdump -ni any
If the output is too verbose you can filter it out (
| grep -v "patter1n|pattern2"
)Open a third console and type:
telnet localhost 6666
Expected output:
10:37:13.770997 IP 127.0.0.1.56920 > 127.0.0.1.443: Flags [S], seq 2822288041, win 43690, options [mss 65495,sackOK,TS val 1028779 ecr 0,nop,wscale 7], length 0
If you use sudo tcpdump -i any
you will see something like this:
10:38:22.106022 IP localhost.56924 > localhost.https: Flags [S], seq 3147104744, win 43690, options [mss 65495,sackOK,TS val 1045863 ecr 0,nop,wscale 7], length 0
Related videos on Youtube
misteryes
Updated on September 18, 2022Comments
-
misteryes over 1 year
I'm using tcpdump for some tests I want to see the IP and port number but the output of tcpdump is like
IP pl1snu.koren.kr.http > kitch.pl.sophia.inria.fr.dnp: Flags [P.], seq 54:72, ack 1, win 5792, length 18
it only shows the hostname and the protocol for http, it is easy to know it is 80 but for dnp I have to search
so is it possible to how to make tcpdump to display ip and port number but not hostname and protocol if so , how? thanks
-
misteryes about 11 yearsport number is still converted to protocol name using
-n
-
Admin over 10 years"port number is still converted to protocol name using -n" Not with, for example, the tcpdump 4.1.1 that comes with OS X Mountain Lion or with tcpdump built from the top of the tcpdump.org Git trunk. On what version of tcpdump are you seeing -n not suppress the conversion of port numbers to protocol names?
-
kfirba over 10 yearsThat's the same as the other answer - the
-i any
isn't necessary if you want to suppress address/port-to-name conversion, it's just the-n
that matters. -
Pierre.Vriens over 5 yearsi do not get it
-
Scott - Слава Україні over 5 yearsWhile the question says “display ip and port number but not hostname and protocol”, I doubt that it means “display ip and port number but not any of the other information”. (I could be wrong, but nobody else seems to have interpreted the question the way you did.) So your answer seems to boil down to two parts: (1) use
-nn
to display services like “http” and “dnp” as a port number instead of a name (which has been presented in three previous answers), and (2) useawk
to throw away data on packet contents (which is probably not desired). -
CodeVomit about 4 yearsHowever it's exactly what I want.