85 Without an explicitly identified interface, tcpdump defaults to the lowest numbered interface. The -p option says that the interface should not be put into promiscuous mode. This option would, in theory, limit capture to the normal traffic on the interface—traffic to or from the host, multicast traffic, and broadcast traffic. In practice, the interface might be in promiscuous mode for some other reason. In this event, -p will not turn promiscuous mode off. Finally, -s controls the amount of data captured. Normally, tcpdump defaults to some maximum byte count and will only capture up to that number of bytes from individual packets. The actual number of bytes depends on the pseudodevice driver used by the operating system. The default is selected to capture appropriate headers, but not to collect packet data unnecessarily. By limiting the number of bytes collected, privacy can be improved. Limiting the number of bytes collected also decreases processing and buffering requirements. If you need to collect more data, the -s option can be used to specify the number of bytes to collect. If you are dropping packets and can get by with fewer bytes, -s can be used to decrease the number of bytes collected. The following command will collect the entire packet if its length is less than or equal to 200 bytes: bsd1 tcpdump -s200 Longer packets will be truncated to 200 bytes. If you are capturing files using the -w option, you should be aware that the number of bytes collected will be what is specified by the -s option at the time of capture. The -s option does not apply to files read back with the -r option. Whatever you captured is what you have. If it was too few bytes, then you will have to recapture the data.

5.4.2.2 Controlling how information is displayed

The -a, -n, -N, and -f options determine how address information is displayed. The -a option attempts to force network addresses into names, the -n option prevents the conversion of addresses into names, the -N option prevents domain name qualification, and the -f option prevents remote name resolution. In the following, the remote site www.cisco.com 192.31.7.130 is pinged from sloan.lander.edu 205.153.63.30 without an option, with -a, with -n, with -N, and with -f, respectively. The options - c1 host 192.31.7.130 restricts capture to one packet to or from the host 192.31.7.130. bsd1 tcpdump -c1 host 192.31.7.130 tcpdump: listening on xl0 14:16:35.897342 sloan.lander.edu cio-sys.cisco.com: icmp: echo request bsd1 tcpdump -c1 -a host 192.31.7.130 tcpdump: listening on xl0 14:16:14.567917 sloan.lander.edu cio-sys.cisco.com: icmp: echo request bsd1 tcpdump -c1 -n host 192.31.7.130 tcpdump: listening on xl0 14:17:09.737597 205.153.63.30 192.31.7.130: icmp: echo request bsd1 tcpdump -c1 -N host 192.31.7.130 tcpdump: listening on xl0 14:17:28.891045 sloan cio-sys: icmp: echo request bsd1 tcpdump -c1 -f host 192.31.7.130 tcpdump: listening on xl0 14:17:49.274907 sloan.lander.edu 192.31.7.130: icmp: echo request Clearly, the -a option is the default. 86 Not using name resolution can eliminate the overhead and produce terser output. If the network is broken, you may not be able to reach your name server and will find yourself with long delays, while name resolution times out. Finally, if you are running tcpdump interactively, name resolution will create more traffic that will have to be filtered out. The -t and -tt options control the printing of timestamps. The -t option suppresses the display of the timestamp while -tt produces unformatted timestamps. The following shows the output for the same packet using tcpdump without an option, with the -t option, and with the -tt option, respectively: 12:36:54.772066 sloan.lander.edu.1174 205.153.63.238.telnet: . ack 3259091394 win 8647 DF sloan.lander.edu.1174 205.153.63.238.telnet: . ack 3259091394 win 8647 DF 934303014.772066 sloan.lander.edu.1174 205.153.63.238.telnet: . ack 3259091394 win 8647 DF The -t option produces a more terse output while the -tt output can simplify subsequent processing, particularly if you are writing scripts to process the data.

5.4.2.3 Controlling whats displayed