Tuesday, 6 September 2011

TCPDUMP: How to capture a full packet

This request generally comes around when there is some suspicious network activity seen by one of the IDS and the engineer wants to see the entire packet:

tcpdump -nnvvXSs 1514 -i eth0


  1. thanks for this post..could you please explain ((-nnvvXSs 1514 ))terms???

  2. Hey - sure thing:
    nn = don't resolve host names or port names
    vv = verbosity level (can be v, vv, or vvv)
    X = Payload. Shows packets contents in both ASCII and HEX. If you need the ethernet header us XX instead of just X
    S = prints absolute sequence numbers
    s = allows you to set snaplen (in this case 1514) so we capture the whole packet.

    Thanks for reading!