How to show mac addresses in TCPdump

Just a quick tip on how to display MAC addresses in the TCPdump utility.
Simply use the “-e” switch.

tcpdump -i INTERFACENAME -e

Without the -e switch:

[CheckPoint]# tcpdump -i bond2.100 -n
12:28:42.257902 IP 10.20.20.31.49155 > 10.254.25.116.49929: . ack 1831 win 513
12:28:42.258620 IP 10.20.20.31.49155 > 10.254.25.116.49929: P 1:286(285) ack 1831 win 513

With the -e switch:

[CheckPoint]# tcpdump -i bond2.100 -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond2.100, link-type EN10MB (Ethernet), capture size 96 bytes
12:28:02.676263 00:00:85:83:c1:fc > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.254.25.48 tell 10.254.25.222
12:28:02.789472 c4:34:6b:53:b9:f4 > 8c:dc:d4:aa:0e:bd, ethertype IPv4 (0x0800), length 208: 10.254.25.128.49905 > 10.20.204.https: P 2852867481:2852867635(154) ack 1634338568 win 25

4.67 avg. rating (94% score) - 6 votes

3 Responses to How to show mac addresses in TCPdump

  1. Thank you, man.
    I was lazy enough to scour TCPDUMP(8) – and you gave a short and useful answer (with example).

    Awesome!

Leave a Reply to Alex Cancel reply

Your email address will not be published. Required fields are marked *