Tcpdump
ph
tcpdump -nS dst port <some port>
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ -P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
-n Don't convert host addresses to names. This can be used to
avoid DNS lookups.
-S Print absolute, rather than relative, TCP sequence numbers.
expression
selects which packets will be dumped. If no expression is
given, all packets on the net will be dumped. Otherwise, only
packets for which expression is `true' will be dumped.
For the expression syntax, see pcap-filter(7).
Allowable primitives are:
dst host host
src host host
host host
ether dst ehost
ether src ehost
ether host ehost
gateway host
dst net net
src net net
net net
net net mask netmask
net net/len
dst port port
src port port
port port
dst portrange port1-port2
src portrange port1-port2
portrange port1-port2
less length
greater length
ip proto protocol
ip6 proto protocol
proto protocol
tcp, udp, icmp
ip6 protochain protocol
ip protochain protocol
protochain protocol
ether broadcast
ip broadcast
ether multicast
ip multicast
ip6 multicast
ether proto protocol
ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
lat, moprc, mopdl
decnet src host
decnet dst host
decnet host host
ifname interface
on interface
rnr num
rulenum num
reason code
rset name
ruleset name
srnr num
subrulenum num
action act
wlan ra ehost
wlan ta ehost
wlan addr1 ehost
wlan addr2 ehost
wlan addr3 ehost
wlan addr4 ehost
type wlan_type
type wlan_type subtype wlan_subtype
subtype wlan_subtype
dir dir
vlan [vlan_id]
mpls [label_num]
pppoed
pppoes [session_id]
iso proto protocol
clnp, esis, isis
l1, l2, iih, lsp, snp, csnp, psnp
vpi n
vci n
lane
llc
oamf4s
oamf4e
oamf4
oam
metac
bcc
sc
ilmic
connectmsg
metaconnect
expr relop expr