Skip to main content

Supress TCPDump output and show only the unique entries [Resolved]

I am trying to execute a tcpdump command which to show me only the unique entries. This is my command and the output:

$ sudo tcpdump -c 5 -q -i eno1 -nn -vvv tcp | sort | uniq
tcpdump: listening on br1, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
6 packets received by filter
0 packets dropped by kernel
09:39:51.350138 IP (tos 0x10, ttl 64, id 61352, offset 0, flags [DF], proto TCP (6), length 184)
09:39:51.350743 IP (tos 0x0, ttl 124, id 3896, offset 0, flags [DF], proto TCP (6), length 40)
09:39:51.811811 IP (tos 0x0, ttl 124, id 3901, offset 0, flags [DF], proto TCP (6), length 92)
09:39:51.811861 IP (tos 0x0, ttl 64, id 41613, offset 0, flags [DF], proto TCP (6), length 40)
09:39:52.424473 IP (tos 0x0, ttl 64, id 41614, offset 0, flags [DF], proto TCP (6), length 92)
    10.184.17.196.55195 > 10.88.159.90.22: tcp 0
    10.184.17.196.58484 > 10.88.159.90.22: tcp 52
    10.88.159.90.22 > 10.184.17.196.55195: tcp 144
    10.88.159.90.22 > 10.184.17.196.58484: tcp 0
    10.88.159.90.22 > 10.184.17.196.58484: tcp 52

and I want my output to be only the list of the unique entries and to suppress the normal tcpdump output:

10.184.17.196.55195 > 10.88.159.90.22: tcp 0
10.184.17.196.58484 > 10.88.159.90.22: tcp 52
10.88.159.90.22 > 10.184.17.196.55195: tcp 144
10.88.159.90.22 > 10.184.17.196.58484: tcp 0
10.88.159.90.22 > 10.184.17.196.58484: tcp 52

Question Credit: Georgе Stoyanov
Question Reference
Asked September 14, 2019
Posted Under: Unix Linux
6 views
1 Answers

Have you considered adding a simple grep command as an extra pipe? For example,

$ sudo tcpdump -c 5 -q -i eno1 -nn -vvv tcp | sort | uniq | grep '>'

credit: John Call
Answered September 14, 2019
Your Answer