I'm using tcpdump for some tests I want to see the IP and port number but the output of tcpdump is like
IP pl1snu.koren.kr.http > kitch.pl.sophia.inria.fr.dnp: Flags [P.], seq 54:72, ack 1, win 5792, length 18
it only shows the hostname and the protocol for http, it is easy to know it is 80 but for dnp I have to search
so is it possible to how to make tcpdump to display ip and port number but not hostname and protocol if so , how? thanks
Add -n to your tcpdump command line.
From the tcpdump manpage:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
It should also be noted that on Fedora (and perhaps other derivatives: RHEL, CentOS, etc.) they have patched the original tcpdump version to include a separate option -nn to remove port numbers. From the manpage:
-n Don't convert host addresses to names. This can be used to
avoid DNS lookups.
-nn Don't convert protocol and port numbers etc. to names either.
-n works only for hostnames, but doesn't work for port numbers. -nn does the trick for both. This is running tcpdump version 4.5.1 on Fedora 20 gnu/linux. Downvoted answer of @ATMc is the only correct. I sadly can neither upvote it nor write a comment below it because of low karma.
I think the best approach is:
sudo tcpdump -ni any
Steps to test:
Open a console and type:
sudo nc -l -p 6666
Open another console and type:
sudo tcpdump -ni any
If the output is too verbose you can filter it out (| grep -v "patter1n|pattern2")
Open a third console and type:
telnet localhost 6666
Expected output:
10:37:13.770997 IP 127.0.0.1.56920 > 127.0.0.1.443: Flags [S], seq 2822288041, win 43690, options [mss 65495,sackOK,TS val 1028779 ecr 0,nop,wscale 7], length 0
If you use sudo tcpdump -i any you will see something like this:
10:38:22.106022 IP localhost.56924 > localhost.https: Flags [S], seq 3147104744, win 43690, options [mss 65495,sackOK,TS val 1045863 ecr 0,nop,wscale 7], length 0
