A qualifier indicating whether to match source or destination information. Accepted values are src, dst, src or dst, and src and dst. When not specified, the expression will match either source or destination traffic.

A qualifier restricting matches to a particular kind of packet. Accepted values are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp. If not specified, the match defaults to any appropriate protocol matching type.

A qualifier indicating what kind of thing the ID or name references, such as a part of a hostname (host), IP address (net) or port (port). When not specified, the match defaults to host.

Print packets in ASCII text.

Exit after receiving n packets.

When saving to a file, do not write files larger than n million bytes. Open a new file with the same basename appended by a number. Start with the number 1.

Compile and dump the packet-matching code for the given expression, then exit. Use the second form to dump it as a C programming fragment. Use the third form to dump the code in decimal.

Print a list of the available interfaces, then exit.

Print the link-level header on each line.

Read expression from the specified file.

Listen on the specified interface. If not specified, tcpdump will listen on the lowest-numbered interface available, other than the loopback interface. Use any to listen to all available interfaces.

Line buffer standard out.

Print the data link types for an interface, then exit.

Print IP addresses instead of converting them to hostnames. Use the second form to leave protocols and port numbers in numeric form, as well.

Print hostnames instead of fully qualified domain names.

Abbreviate output, printing less protocol information.

Read packets from the specified file. (You can create such a file with the -w option.)

Read n bytes of data from each packet. (The default is 68.)

Print absolute TCP sequence numbers.

Read n bytes of data from each packet. (The default is 68.)

Change display of timestamp. Use the first form to omit the timestamp from each line. Use the second form to print an unformatted timestamp. Use the third form to print the time in seconds between the current and the previous dump line. The final form prints the date before the timestamp on each dump line.

Print undecoded NFS handles.

Increase the verbosity of the printout. Each additional v increases the detail of the information printed.

Write the raw packet information to file without parsing or printing it. Specify - to write to standard output.

Print packets in hex. Use the second form to print the packet's link level header in hex as well.

Print packets in hex and ASCII text. Use the second form to print the packet's link level header in hex and ASCII as well.

Drop root privileges and change to the specified user. Use the primary group of the specified user.