>
    Strata Copilot
    tcpdump
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Debug Commands
    5. tcpdump
    Download PDF
    Prisma SD-WAN

    tcpdump

    Table of Contents

    tcpdump

    Use the tcpdump command to capture the TCP, or IP packets received or transferred over a network on a specific interface and used for network debugging and traffic analysis. The packet data is printed on a console or saved to a future analysis file or transfer. The following (args) options are automatically included in the device: 
    "-A", "b", "-e", "-K", "-#", "-p", "-q", "-S", "-t", "-tt", "-ttt", "-tttt", "-ttttt", "-u", "-v", "-vv", "-vvv", "-x", "-xx", "-X", "-XX" "-B", "-c", "-E", "-j", "-M", "-Q", "-T", "-s" "-C"
    Capturing packets using the tcpdump command is currently not supported on sub-interfaces or SVIs for ION device software versions 6.1.x, 6.2.x, and 6.3.x. However, traffic flow of interest on such interfaces can be captured on parent interface, with the help of available (args) options.
    Args options are not supported in releases 6.4.2 and 6.5.1, it will be reintroduced in the upcoming releases 6.4.3 and 6.5.2.
    • For capturing the packets:
      tcpdump interface= -v -vv -x -xx srcv4= dstv4= srcv6= dstv6= host= port= srcport= dstport= protocol= show
      tcpdump interface args=” “ show
    • For saving packets capture to a file:
      tcpdump interface args=” “ save filename
      tcpdump interface= -v -vv -x -xx srcv4= dstv4= srcv6= dstv6= host= port= srcport= dstport= protocol= save filename
    • For viewing and exporting a .pcap file:
      file view sample.pcap

    Command

    tcpdump (interface name or number <args= " " | show | save file=filename>)

    tcpdump (interface name or number-v  -vv  -x  -xx  srcv4=  dstv4=  srcv6=   dstv6=  host=   port=   srcport=  dstport=  protocol= show | save file=filename>)

    Options

    interfaceEnter the interface to listen on.
    showDisplays TCP packet information.
    save fileEnter the name of the file in which the tcpdump is saved.

    Command Notes

    RoleSuper, Read Only
    Related Commands
    Introduced inRelease 4.4.1

    Example

    tcpdump filtering on host IP 8.8.8.8, protocol = icmp, and display
				ethernetframe info (-e)
				tcpdump controller1 args=" -e host 8.8.8.8 and icmp" show tcpdump:verbose 
				output suppressed, use -v or -vv for full protocol decode
				listening on eth0, link-type EN10MB (Ethernet), capture size 65535
				bytes 14:06:13.488774 00:50:56:92:30:be > 00:50:56:92:8b:1a,
				ethertype IPv4 (0x0800), length 98: 192.168.30.10 > 8.8.8.8: ICMP
				echo request, id 12410, seq 0, length 64
				14:06:13.5395143e:2d:5f:3a:be:bd > 00:50:56:92:30:be,
				ethertype IPv4 (0x0800),length
    tcpdump controller1 args="-vvv" show
				tcpdump: listening on eth0, link-type EN10MB (Ethernet), 
				capture size 262144 bytes
				06:04:09.589948 ARP, Ethernet (len 6), IPv4 (len 4), 
				Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 46
				06:04:09.589953 ARP, Ethernet (len 6), IPv4 (len 4),
				Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 78
    tcpdump controller1 args="-c 5" save file=tcpdump_capture.pcap
				Saving...
				Press CTR+C to stop.
				tcpdump: listening on eth0, link-type EN10MB (Ethernet), 
				capture size 262144 bytes
				5 packets captured
    tcpdump any args="src 11.11.11.5" show
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:36:29.529452 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:29.529467 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:29.529471 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:30.553375 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
09:36:30.553383 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
09:36:30.553385 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
^C
6 packets captured
9 packets received by filter
0 packets dropped by kernel

    tcpdump any srcv4=11.11.11.5 -vv show
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:36:37.721372 IP (tos 0x0, ttl 63, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:37.721380 IP (tos 0x0, ttl 62, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:37.721381 IP (tos 0x0, ttl 62, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:38.745249 IP (tos 0x0, ttl 63, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
09:36:38.745256 IP (tos 0x0, ttl 62, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
09:36:38.745258 IP (tos 0x0, ttl 62, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
^C
6 packets captured
9 packets received by filter
0 packets dropped by kernel

    © 2026 Palo Alto Networks, Inc. All rights reserved.