how to make tcpdump to display ip and port number but not hostname and protocol

linux networking tcpdump

160,761

Solution 1

Add -n to your tcpdump command line.

-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

It should also be noted that on Fedora (and perhaps other derivatives: RHEL, CentOS, etc.) they have patched the original tcpdump version to include a separate option -nn to remove port numbers. From the manpage:

-n     Don't convert host addresses to names.   This  can  be  used  to
              avoid DNS lookups.

-nn    Don't convert protocol and port numbers etc. to names either.

Solution 2

I use -nn parameter.

-nn: Don’t resolve hostnames or port names.

Run it as:

tcpdump -nn

Solution 3

-n works only for hostnames, but doesn't work for port numbers. -nn does the trick for both. This is running tcpdump version 4.5.1 on Fedora 20 gnu/linux. Downvoted answer of @ATMc is the only correct. I sadly can neither upvote it nor write a comment below it because of low karma.

Solution 4

I think the best approach is:

sudo tcpdump -ni any

Steps to test:

Open a console and type:
```
sudo nc -l -p 6666
```
Open another console and type:
```
sudo tcpdump -ni any
```
If the output is too verbose you can filter it out (| grep -v "patter1n|pattern2")
Open a third console and type:
```
telnet localhost 6666
```

Expected output:

10:37:13.770997 IP 127.0.0.1.56920 > 127.0.0.1.443: Flags [S], seq 2822288041, win 43690, options [mss 65495,sackOK,TS val 1028779 ecr 0,nop,wscale 7], length 0

If you use sudo tcpdump -i any you will see something like this:

10:38:22.106022 IP localhost.56924 > localhost.https: Flags [S], seq 3147104744, win 43690, options [mss 65495,sackOK,TS val 1045863 ecr 0,nop,wscale 7], length 0

View more solutions

160,761

misteryes

Updated on September 18, 2022

Comments

misteryes over 1 year
I'm using tcpdump for some tests I want to see the IP and port number but the output of tcpdump is like
```
IP pl1snu.koren.kr.http > kitch.pl.sophia.inria.fr.dnp: Flags [P.], seq 54:72, ack 1, win 5792, length 18
```
it only shows the hostname and the protocol for http, it is easy to know it is 80 but for dnp I have to search

so is it possible to how to make tcpdump to display ip and port number but not hostname and protocol if so , how? thanks
misteryes about 11 years

port number is still converted to protocol name using -n
Admin over 10 years

"port number is still converted to protocol name using -n" Not with, for example, the tcpdump 4.1.1 that comes with OS X Mountain Lion or with tcpdump built from the top of the tcpdump.org Git trunk. On what version of tcpdump are you seeing -n not suppress the conversion of port numbers to protocol names?
kfirba over 10 years

That's the same as the other answer - the -i any isn't necessary if you want to suppress address/port-to-name conversion, it's just the -n that matters.
Pierre.Vriens over 5 years

i do not get it
Scott - Слава Україні over 5 years

While the question says “display ip and port number but not hostname and protocol”, I doubt that it means “display ip and port number but not any of the other information”.   (I could be wrong, but nobody else seems to have interpreted the question the way you did.)   So your answer seems to boil down to two parts: (1) use -nn to display services like “http” and “dnp” as a port number instead of a name (which has been presented in three previous answers), and (2) use awk to throw away data on packet contents (which is probably not desired).
CodeVomit about 4 years

However it's exactly what I want.