%20e2e)
%20e2e)
ptcpdump is the tcpdump(8) implementation using eBPF, with an extra feature: it adds process info as packet comments for each Packet when possible. Inspired by jschwinger233/skbdump.
- Process-aware
- Aware of the process information associated with the packets.
- Supports filtering packets by process ID and process name.
- Supports using pcap-filter(7) syntax for filtering packets.
- Directly applies filters in the kernel space.
- Supports saving captured packets in the PcapNG format for offline analysis with third-party tools such as Wireshark.
- Supports reading packets from pcapng file.
- Container-aware
- Aware of the container information associated with the packets.
- Supports multiple container runtimes: Docker Engine and containerd
Please download the latest binary in the releases.
Linux kernel version >= 5.2.
sudo ptcpdump -i any tcp
sudo ptcpdump -i eth0 -i lo
sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1
sudo ptcpdump -i any --pname curl
sudo ptcpdump -i any -- curl ubuntu.com
sudo ptcpdump -i any -w demo.pcapng
sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
sudo ptcpdump -i any -w - port 80 | tshark -r -
ptcpdump -r demo.pcapng
12:10:14.384352 wlp4s0 Out IP (tos 0x0, ttl 63, id 14146, offset 0, flags [DF], ip_proto TCP (6), length 52)
192.168.1.50.44318 > 139.178.84.217.80: Flags [F.], cksum 0xa28c, seq 945708706, ack 3673127374, win 501, options [nop,nop,TS val 3474241628 ecr 766303359], length 0
Process (pid 751465, cmd /usr/bin/wget, args wget kernel.org)
Container (name demo, id 087cb587a02f039609061e0e78bf74f8d146fbcb42d1d5647a6776f315d121eb, image docker.io/alpine:3.18, labels {})
12:10:14.622421 wlp4s0 In IP (tos 0x4, ttl 47, id 43987, offset 0, flags [DF], ip_proto TCP (6), length 52)
139.178.84.217.80 > 192.168.1.50.44318: Flags [.], cksum 0xa787, seq 3673127374, ack 945708707, win 114, options [nop,nop,TS val 766303761 ecr 3474241628], length 0
Process (pid 751465, cmd /usr/bin/wget, args wget kernel.org)
Container (name demo, id 087cb587a02f039609061e0e78bf74f8d146fbcb42d1d5647a6776f315d121eb, image docker.io/alpine:3.18, labels {})
Usage:
ptcpdump [flags] [expression] [-- command [args]]
Examples:
sudo ptcpdump -i any tcp
sudo ptcpdump -i eth0 -i lo
sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1
sudo ptcpdump -i any --pname curl
sudo ptcpdump -i any -- curl ubuntu.com
sudo ptcpdump -i any -w ptcpdump.pcapng
sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
sudo ptcpdump -i any -w - port 80 | tshark -r -
ptcpdump -r ptcpdump.pcapng
Expression: see "man 7 pcap-filter"
Flags:
-Q, --direction string Choose send/receive direction for which packets should be captured. Possible values are 'in', 'out' and 'inout' (default "inout")
-f, --follow-forks Trace child processes as they are created by currently traced processes when filter by process
-h, --help help for ptcpdump
-i, --interface strings Interfaces to capture (default [lo])
--list-interfaces Print the list of the network interfaces available on the system
--oneline Print parsed packet output in a single line
--pid uint Filter by process ID (only TCP and UDP packets are supported)
--pname string Filter by process name (only TCP and UDP packets are supported)
--print Print parsed packet output, even if the raw packets are being saved to a file with the -w flag
-r, --read-file string Read packets from file (which was created with the -w option). e.g. ptcpdump.pcapng
-c, --receive-count uint Exit after receiving count packets
--version Print the ptcpdump and libpcap version strings and exit
-w, --write-file string Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is '-'. e.g. ptcpdump.pcapng
| Options | tcpdump | ptcpdump |
|---|---|---|
| expression | β | β |
| -i interface, --interface=interface | β | β |
| -w x.pcapng | β | β (with process info) |
| -w x.pcap | β | β (without process info) |
| -w - | β | β |
| -r x.pcapng, -r x.pcap | β | β |
| -r - | β | |
| --pid process_id | β | |
| --pname process_name | β | |
| -f, --follow-forks | β | |
| -- command [args] | β | |
| --oneline | β | |
| β | β | |
| -c count | β | β |
| -Q direction, --direction=direction | β | β |
| -D, --list-interfaces | β | β |
| -A | β | |
| -B bufer_size, --buffer-size=buffer_size | β | |
| --count | β | β |
| -C *file_size | β | |
| -d | β | |
| -dd | β | |
| -ddd | β | |
| -e | β | |
| -f | β | β |
| -F file | β | |
| -G rotate_seconds | β | |
| -h, --help | β | β |
| --version | β | β |
| -H | β | |
| -l, --monitor-mode | β | |
| --immediate-mode | β | |
| -j tstamp_type, --time-stamp-type=tstamp_type | β | |
| -J, --list-time-stamp-types | β | |
| --time-stamp-precision=tstamp_precision | β | |
| --micro | β | |
| --nano | β | |
| -K, --dont-verify-checksums | β | |
| -l | β | |
| -L, --list-data-link-types | β | |
| -m module | β | |
| -M secret | β | |
| -n | β | |
| -N | β | |
| -#, --number | β | β |
| -O, --no-optimize | β | |
| -p, --no-promiscuous-mode | β | β |
| -S, --absolute-tcp-sequence-numbers | β | |
| -s snaplen, --snapshot-length=snaplen | β | |
| -T type | β | |
| -t | β | β |
| -tt | β | |
| -ttt | β | |
| -tttt | β | |
| -u | β | |
| -U, --packet-buffered | β | |
| -v | β | |
| -vv | β | |
| -vvv | β | |
| -V file | β | |
| -W filecont | β | |
| -x | β | |
| -xx | β | |
| -X | β | |
| -XX | β | |
| -y datalinktype, --linktype=datalinktype | β | |
| -z postrotate-command | β | |
| -Z user, --relinquish-privileges=user | β |
-
Build eBPF programs:
make build-bpf -
Build ptcpdump:
make build
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}