What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

If you have a new feature suggestion or find a bug, please get in touch via http://commandlinefu.uservoice.com/

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

Universal configuration monitoring and system of record for IT.

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:



May 19, 2015 - A Look At The New Commandlinefu
I've put together a short writeup on what kind of newness you can expect from the next iteration of clfu. Check it out here.
March 2, 2015 - New Management
I'm Jon, I'll be maintaining and improving clfu. Thanks to David for building such a great resource!

Top Tags





Commands using tcpdump from sorted by
Terminal - Commands using tcpdump - 45 results
sudo tcpdump -i en0 'udp port 53'
tcpdump -nr capture.file | awk '{print }' | grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}' | sort | uniq -c | sort -n
2011-06-16 19:27:11
User: shahabv
Functions: awk grep sort tcpdump uniq
Tags: tcpdump

We can get useful statistics from tcpdump with this simple command.

Thanks "Babak Farrokhi" to teaching me this ;)

tcpdump -w "$(sed 's/-//gi; s/ /_/gi'<<<"-vvv -s0 -ieth1 -c10 icmp").pcap"
sudo tcpdump -i eth0 -s 65535 -A -ttt port 11211
tcp(){ tcpdump -nUs0 -w- -iinterface $1|tcpdump -n${2-A}r- ;} usage: tcp '[primitives]' [X|XX]
2011-03-07 03:40:11
User: argv
Functions: tcpdump

Sometimes the question comes up: How to get unbuffered tcpdump output into the next program in the pipe? i.e. if your OS forces you to wait for the buffer to fill before the next program sees any of the output

If you use -Uw- then you can't use -A (or -X or -XX) at the same time.

When the question comes up, I've never seen anyone suggest this simple solution: chaining 2 tcpdump instances.

tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
2010-11-18 09:03:08
User: ironmarc
Functions: tcpdump

The command is useful for monitoring the use of the boxes and their connection IP.

Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command:

tcpdump -f "sniff" -XX

ssh root@HOST tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -
2010-10-28 09:02:39
User: abb
Functions: ssh tcpdump

When using tcpdump, specify -U option to prevent buffering.

liveh(){ tcpdump -lnAs512 ${1-} tcp |sed ' s/.*GET /GET /;s/.*Host: /Host: /;s/.*POST /POST /;/[GPH][EOo][TSs]/!d;w '"${2-liveh.txt}"' ' >/dev/null ;} # usage: liveh [-i interface] [output-file] && firefox &
2010-10-11 01:01:11
User: argv
Functions: sed tcpdump

Default output-file is "liveh.txt".

This uses only BRE, in case you're using an older version of sed(1) that doesn't have support for ERE added.

With a modern sed(1), to reduce false positive matches, you might do something like:

liveh(){ tcpdump -lnnAs512 -i ${1-} tcp |sed 's/.*GET /GET /;s/.*Host: /Host: /;s/.*POST /POST /;/GET |Host: |POST /!d;/[\"'"'"]/d;/\.\./d;w '"${2-liveh.txt}"'' >/dev/null ;}

Anyway, it's easy to clean up the output file with sed(1) later.

sudo tcpdump -i eth0 -n port 67 and 68
2010-08-18 19:36:06
User: wsv123456
Functions: sudo tcpdump

You don't need this command often and there are other ways to test output but if you want to be sure if your router and ethernet card are working this is one way.

tcpdump -i eth0 port 80 -w -
tcpdump -i any -n tcp[13] == 2
sudo tcpdump -nnvvXSs 1514 -i lo0 dst port 5432
2009-12-18 17:12:44
User: ethanmiller
Functions: sudo tcpdump

It's certainly not nicely formatted SQL, but you can see the SQL in there...

tcpdump -nnvvXSs 1514 -i <device> <filters>
2009-12-17 22:30:55
User: din7
Functions: tcpdump

This command will show you the entire payload of a packet.

The final "s" increases the snaplength, grabbing the whole packet.

tcpdump -v -i <INTERFACE> -s 0 -w /tmp/sniff.pcap port <PORT> # On the remote side
2009-12-17 22:08:30
User: sputnick
Functions: tcpdump
Tags: tcpdump pcap

Then hit ^C to stop, get the file by scp, and you can now use wireshark like this :

wireshark /tmp/sniff.pcap

If you have tshark on remote host, you could use that :

wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)

The last snippet comes from http://wiki.wireshark.org/CaptureSetup/Pipes

tcpdump -ieth0 -n tcp port 80 -A -s1500
2009-12-05 00:59:16
User: guelfoweb
Functions: tcpdump
Tags: tcpdump

Sniffing traffic on port 80 only the first 1500 bytes

tcpdump -n -v tcp or udp or icmp and not port 22
sniff_host: tcpdump -nn -i eth1 -w - | nc 666
sudo tcpdump -i en1 -n -s 0 -w - | grep -a -o -E "Host\: .*|GET \/.*"
2009-04-04 01:41:48
User: peterc
Functions: grep sudo tcpdump

Replace "en1" with your network interface (on OS X, usually en0, en1, eth0, etc..)

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
2009-02-20 18:02:27
User: spif
Functions: tcpdump

This gives you lots of nifty Cisco network information like VLAN tag, port and switch information.

tcpdump -nli eth0; tcpdump -nli eth0 src or dst w.x.y.z; tcpdump -nli eth0 port 80; tcpdump -nli eth0 proto udp
2009-02-05 17:41:55
User: jonty
Functions: tcpdump

At some point you want to know what packets are flowing on your network. Use tcpdump for this. The man page is obtuse, to say the least, so here are some simple commands to get you started.

-n means show IP numbers and don't try to translate them to names.

-l means write a line as soon as it is ready.

-i eth0 means trace the packets flowing through the first ethernet interface.

src or dst w.x.y.z traces only packets going to or from IP address w.x.y.z.

port 80 traces only packets for HTTP.

proto udp traces only packets for UDP protocol.

Once you are happy with each option combine them with 'and' 'or' 'not' to get the effects you want.