{"id":13811958,"url":"https://github.com/mozillazg/ptcpdump","last_synced_at":"2025-04-09T18:53:44.735Z","repository":{"id":238310460,"uuid":"782416935","full_name":"mozillazg/ptcpdump","owner":"mozillazg","description":"Process-aware, eBPF-based tcpdump","archived":false,"fork":false,"pushed_at":"2024-05-28T15:03:10.000Z","size":11793,"stargazers_count":130,"open_issues_count":8,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-05-29T06:30:29.701Z","etag":null,"topics":["bpf","ebpf","ebpf-go","ebpf-tc","forensics","network-capture","packet-capture","pcap","pcapng","process-aware","sniffer","tcpdump","tcpdump-like"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mozillazg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-05T08:59:43.000Z","updated_at":"2024-05-31T14:34:51.641Z","dependencies_parsed_at":"2024-05-31T14:34:44.174Z","dependency_job_id":null,"html_url":"https://github.com/mozillazg/ptcpdump","commit_stats":null,"previous_names":["mozillazg/ptcpdump"],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fptcpdump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fptcpdump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fptcpdump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fptcpdump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mozillazg","download_url":"https://codeload.github.com/mozillazg/ptcpdump/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248093669,"owners_count":21046723,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","ebpf","ebpf-go","ebpf-tc","forensics","network-capture","packet-capture","pcap","pcapng","process-aware","sniffer","tcpdump","tcpdump-like"],"created_at":"2024-08-04T04:00:42.832Z","updated_at":"2025-04-09T18:53:44.721Z","avatar_url":"https://github.com/mozillazg.png","language":"C","funding_links":[],"categories":["Projects Related to eBPF","C"],"sub_categories":["Tools"],"readme":"# ptcpdump\n\n\u003cdiv id=\"top\"\u003e\u003c/div\u003e\n\n[![amd64-e2e](https://img.shields.io/github/actions/workflow/status/mozillazg/ptcpdump/test.yml?label=x86_64%20(amd64)%20e2e)](https://github.com/mozillazg/ptcpdump/actions/workflows/test.yml)\n[![arm64-e2e](https://img.shields.io/circleci/build/gh/mozillazg/ptcpdump/master?label=aarch64%20(arm64)%20e2e)](https://app.circleci.com/pipelines/github/mozillazg/ptcpdump?branch=master)\n[![Release](https://img.shields.io/github/v/release/mozillazg/ptcpdump)](https://github.com/mozillazg/ptcpdump/releases)\nEnglish | [δΈ­ζ–‡](README.zh-CN.md)\n\n\nptcpdump is a tcpdump-compatible packet analyzer powered by eBPF,\nautomatically annotating packets with process/container/pod metadata when detectable.\nInspired by [jschwinger233/skbdump](https://github.com/jschwinger233/skbdump).\n\n![](./docs/wireshark.png)\n\nTable of Contents\n=================\n\n* [Features](#features)\n* [Installation](#installation)\n * [Requirements](#requirements)\n* [Usage](#usage)\n * [Example commands](#example-commands)\n * [Example output](#example-output)\n * [Running with Docker](#running-with-docker)\n * [Backend](#backend)\n * [Flags](#flags)\n* [Compare with tcpdump](#compare-with-tcpdump)\n* [Developing](#developing)\n * [Dependencies](#dependencies)\n * [Building](#building)\n\n\n## Features\n\n* πŸ” Process/container/pod-aware packet capture.\n* πŸ“¦ Filter by: `--pid` (process), `--pname` (process name), `--container-id` (container), `--pod-name` (pod).\n* 🎯 tcpdump-compatible flags (`-i`, `-w`, `-c`, `-s`, `-n`, `-C`, `-W`, `-A`, and more).\n* πŸ“œ Supports `pcap-filter(7)` syntax like tcpdump.\n* 🌳 tcpdump-like output + process/container/pod context.\n* πŸ“‘ Verbose mode shows detailed metadata for processes and containers/pods.\n* πŸ’Ύ PcapNG with embedded metadata (Wireshark-ready).\n* 🌐 Cross-namespace capture (`--netns`).\n* πŸš€ Kernel-space BPF filtering (low overhead, reduces CPU usage).\n* ⚑ Container runtime integration (Docker, containerd).\n\n\n## Installation\n\nYou can download the statically linked executable for x86_64 and arm64 from the [releases page](https://github.com/mozillazg/ptcpdump/releases).\n\n\n### Requirements\n\nLinux kernel \u003e= 5.2 (compiled with BPF and BTF support).\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n## Usage\n\n### Example commands\n\nFilter like tcpdump:\n\n```\nsudo ptcpdump -i eth0 tcp\nsudo ptcpdump -i eth0 -A -s 0 -n -v tcp and port 80 and host 10.10.1.1\nsudo ptcpdump -i any -s 0 -n -v -C 100MB -W 3 -w test.pcapng 'tcp and port 80 and host 10.10.1.1'\nsudo ptcpdump -i eth0 'tcp[tcpflags] \u0026 (tcp-syn|tcp-fin) != 0'\n```\n\nMultiple interfaces:\n\n```\nsudo ptcpdump -i eth0 -i lo\n```\n\nFilter by process or user:\n\n```\nsudo ptcpdump -i any --pid 1234 --pid 233 -f\nsudo ptcpdump -i any --pname curl\nsudo ptcpdump -i any --uid 1000\n```\n\nCapture by process via run target program:\n\n```\nsudo ptcpdump -i any -- curl ubuntu.com\n```\n\nFilter by container or pod:\n\n```\nsudo ptcpdump -i any --container-id 36f0310403b1\nsudo ptcpdump -i any --container-name test\nsudo ptcpdump -i any --pod-name test.default\n```\n\nSave data in PcapNG format:\n\n```\nsudo ptcpdump -i any -w demo.pcapng\nsudo ptcpdump -i any -w - port 80 | tcpdump -n -r -\nsudo ptcpdump -i any -w - port 80 | tshark -r -\n```\n\n\nCapturing interfaces in other network namespaces:\n\n```\nsudo ptcpdump -i lo --netns /run/netns/foo --netns /run/netns/bar\nsudo ptcpdump -i any --netns /run/netns/foobar\nsudo ptcpdump -i any --netns /proc/26/ns/net\n```\n\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n### Example output\n\n\nDefault:\n\n```\n09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 \u003e 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0, ParentProc [python3.834381], Container [test], Pod [test.default]\n09:32:09.718941 eth0 wget.3553008 Out IP 172.19.0.2.33426 \u003e 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0, ParentProc [python3.834381], Container [test], Pod [test.default]\n```\n\nWith `-q`:\n\n```\n09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 \u003e 139.178.84.217.80: tcp 0, ParentProc [python3.834381], Container [test], Pod [test.default]\n09:32:09.718941 eth0 wget.3553008 Out IP 172.19.0.2.33426 \u003e 139.178.84.217.80: tcp 0, ParentProc [python3.834381], Container [test], Pod [test.default]\n```\n\nWith `-v`:\n\n```\n13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)\n 139.178.84.217.443 \u003e 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0\n Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)\n User (uid 1000)\n ParentProc (pid 553296, cmd /bin/sh, args sh)\n Container (name test, id d9028334568bf75a5a084963a8f98f78c56bba7f45f823b3780a135b71b91e95, image docker.io/library/alpine:3.18, labels {\"io.cri-containerd.kind\":\"container\",\"io.kubernetes.container.name\":\"test\",\"io.kubernetes.pod.name\":\"test\",\"io.kubernetes.pod.namespace\":\"default\",\"io.kubernetes.pod.uid\":\"9e4bc54b-de48-4b1c-8b9e-54709f67ed0c\"})\n Pod (name test, namespace default, UID 9e4bc54b-de48-4b1c-8b9e-54709f67ed0c, labels {\"run\":\"test\"}, annotations {\"kubernetes.io/config.seen\":\"2024-07-21T12:41:00.460249620Z\",\"kubernetes.io/config.source\":\"api\"})\n```\n\nUsing `--context` to limit context to include in the output:\n\n```\n# --context=process\n09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 \u003e 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0\n\n# -v --context=process\n13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)\n 139.178.84.217.443 \u003e 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0\n Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)\n\n# -v --context=process,parentproc,container,pod\n# or -v --context=process --context=parentproc --context=container --context=pod\n13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)\n 139.178.84.217.443 \u003e 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0\n Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)\n ParentProc (pid 553296, cmd /bin/sh, args sh)\n Container (name test, id d9028334568bf75a5a084963a8f98f78c56bba7f45f823b3780a135b71b91e95, image docker.io/library/alpine:3.18, labels {\"io.cri-containerd.kind\":\"container\",\"io.kubernetes.container.name\":\"test\",\"io.kubernetes.pod.name\":\"test\",\"io.kubernetes.pod.namespace\":\"default\",\"io.kubernetes.pod.uid\":\"9e4bc54b-de48-4b1c-8b9e-54709f67ed0c\"})\n Pod (name test, namespace default, UID 9e4bc54b-de48-4b1c-8b9e-54709f67ed0c, labels {\"run\":\"test\"}, annotations {\"kubernetes.io/config.seen\":\"2024-07-21T12:41:00.460249620Z\",\"kubernetes.io/config.source\":\"api\"})\n```\n\n\nWith `-A`:\n\n```\n14:44:34.457504 ens33 curl.205562 Out IP 10.0.2.15.39984 \u003e 139.178.84.217.80: Flags [P.], seq 2722472188:2722472262, ack 892036871, win 64240, length 74, ParentProc [bash.180205]\nE..r.,@.@.o.\n.....T..0.P.E..5+g.P.......GET / HTTP/1.1\nHost: kernel.org\nUser-Agent: curl/7.81.0\nAccept: */*\n\n```\n\nWith `-x`:\n\n```\n14:44:34.457504 ens33 curl.205562 Out IP 10.0.2.15.39984 \u003e 139.178.84.217.80: Flags [P.], seq 2722472188:2722472262, ack 892036871, win 64240, length 74, ParentProc [bash.180205]\n 0x0000: 4500 0072 de2c 4000 4006 6fbf 0a00 020f\n 0x0010: 8bb2 54d9 9c30 0050 a245 a0fc 352b 6707\n 0x0020: 5018 faf0 ecfe 0000 4745 5420 2f20 4854\n 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 6b65\n 0x0040: 726e 656c 2e6f 7267 0d0a 5573 6572 2d41\n 0x0050: 6765 6e74 3a20 6375 726c 2f37 2e38 312e\n 0x0060: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a\n 0x0070: 0d0a\n```\n\nWith `-X`:\n\n```\n14:44:34.457504 ens33 curl.205562 Out IP 10.0.2.15.39984 \u003e 139.178.84.217.80: Flags [P.], seq 2722472188:2722472262, ack 892036871, win 64240, length 74, ParentProc [bash.180205]\n 0x0000: 4500 0072 de2c 4000 4006 6fbf 0a00 020f E..r.,@.@.o.....\n 0x0010: 8bb2 54d9 9c30 0050 a245 a0fc 352b 6707 ..T..0.P.E..5+g.\n 0x0020: 5018 faf0 ecfe 0000 4745 5420 2f20 4854 P.......GET / HT\n 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 6b65 TP/1.1..Host: ke\n 0x0040: 726e 656c 2e6f 7267 0d0a 5573 6572 2d41 rnel.org..User-A\n 0x0050: 6765 6e74 3a20 6375 726c 2f37 2e38 312e gent: curl/7.81.\n 0x0060: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept: */*..\n 0x0070: 0d0a ..\n```\n\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n### Running with Docker\n\nDocker images for `ptcpdump` are published at https://quay.io/repository/ptcpdump/ptcpdump.\n\n```\ndocker run --privileged --rm -t --net=host --pid=host \\\n -v /sys/fs/cgroup:/sys/fs/cgroup:ro \\\n -v /var/run:/var/run:ro \\\n -v /run:/run:ro \\\n quay.io/ptcpdump/ptcpdump:latest ptcpdump -i any -c 2 tcp\n```\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n### Backend\n\n\nptcpdump supports specifying a particular eBPF technology for packet capture through the\n`--backend` flag.\n\n| --backend | eBPF Program Type | Include L2 data |\n|--------------|----------------------------|-----------------|\n| `tc` | `BPF_PROG_TYPE_SCHED_CLS` | βœ… |\n| `cgroup-skb` | `BPF_PROG_TYPE_CGROUP_SKB` | ❌ |\n\n\nIf this flag isn't specified, it defaults to `tc`.\n\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n### Flags\n\n\n```\nUsage:\n ptcpdump [flags] [expression] [-- command [args]]\n\nExamples:\n sudo ptcpdump -i any tcp\n sudo ptcpdump -i eth0 -i lo\n sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1\n sudo ptcpdump -i any --pname curl -A\n sudo ptcpdump -i any --container-id 36f0310403b1\n sudo ptcpdump -i any --container-name test\n sudo ptcpdump -i any -- curl ubuntu.com\n sudo ptcpdump -i any -w ptcpdump.pcapng\n sudo ptcpdump -i any -w - | tcpdump -n -r -\n sudo ptcpdump -i any -w - | tshark -r -\n ptcpdump -r ptcpdump.pcapng\n\nExpression: see \"man 7 pcap-filter\"\n\nFlags:\n --backend string Specify the backend to use for capturing packets. Possible values are \"tc\" and \"cgroup-skb\" (default \"tc\")\n --container-id string Filter by container id (only TCP and UDP packets are supported)\n --container-name string Filter by container name (only TCP and UDP packets are supported)\n --containerd-address string Address of containerd service (default \"/run/containerd/containerd.sock\")\n --context strings Specify which context information to include in the output (default [process,thread,parentproc,user,container,pod])\n --count Print only on stdout the packet count when reading capture file instead of parsing/printing the packets\n --cri-runtime-address string Address of CRI container runtime service (default: uses in order the first successful one of [/var/run/dockershim.sock, /var/run/cri-dockerd.sock, /run/crio/crio.sock, /run/containerd/containerd.sock])\n --delay-before-handle-packet-events duration Delay some durations before handle packet events\n -Q, --direction string Choose send/receive direction for which packets should be captured. Possible values are 'in', 'out' and 'inout' (default \"inout\")\n --docker-address string Address of Docker Engine service (default \"/var/run/docker.sock\")\n --embed-keylog-to-pcapng -- CMD [ARGS] Write TLS Key Log file to this path (experimental: only support unstripped Go binary and must combined with -- CMD [ARGS])\n --event-chan-size uint Size of event chan (default 20)\n --exec-events-worker-number uint Number of worker to handle exec events (default 50)\n -F, --expression-file string Use file as input for the filter expression. An additional expression given on the command line is ignored.\n -W, --file-count uint Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer.\n -C, --file-size fileSize Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.\n -f, --follow-forks Trace child processes as they are created by currently traced processes when filter by process\n -h, --help help for ptcpdump\n -i, --interface strings Interfaces to capture (default [lo])\n --kernel-btf string specify kernel BTF file (default: uses in order the first successful one of [/sys/kernel/btf/vmlinux, /var/lib/ptcpdump/btf/vmlinux, /var/lib/ptcpdump/btf/vmlinux-$(uname -r), /var/lib/ptcpdump/btf/$(uname -r).btf, download BTF file from https://mirrors.openanolis.cn/coolbpf/btf/ and https://github.com/aquasecurity/btfhub-archive/]\n -D, --list-interfaces Print the list of the network interfaces available on the system\n --log-level string Set the logging level (\"debug\", \"info\", \"warn\", \"error\", \"fatal\") (default \"warn\")\n --micro Shorthands for --time-stamp-precision=micro\n --nano Shorthands for --time-stamp-precision=nano\n --netns strings Path to an network namespace file or name (default [/proc/self/ns/net])\n -n, --no-convert-addr count Don't convert addresses (i.e., host addresses, port numbers, etc.) to names\n -#, --number Print an optional packet number at the beginning of the line\n --oneline Print parsed packet output in a single line\n --pid uints Filter by process IDs (only TCP and UDP packets are supported) (default [])\n --pname string Filter by process name (only TCP and UDP packets are supported)\n --pod-name string Filter by pod name (format: NAME.NAMESPACE, only TCP and UDP packets are supported)\n --print Print parsed packet output, even if the raw packets are being saved to a file with the -w flag\n -A, --print-data-in-ascii Print each packet (minus its link level header) in ASCII\n -x, --print-data-in-hex count When parsing and printing, in addition to printing the headers of each packet, print the data of each packet in hex\n -X, --print-data-in-hex-ascii count When parsing and printing, in addition to printing the headers of each packet, print the data of each packet in hex and ASCII\n -t, --print-timestamp count\n -q, --quiet Quiet output. Print less protocol information so output lines are shorter\n -r, --read-file string Read packets from file (which was created with the -w option). e.g. ptcpdump.pcapng\n -c, --receive-count uint Exit after receiving count packets\n -s, --snapshot-length uint32 Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes (default 262144)\n --time-stamp-precision string When capturing, set the time stamp precision for the capture to the format (default \"micro\")\n --uid uints Filter by user IDs (only TCP and UDP packets are supported) (default [])\n -v, --verbose count When parsing and printing, produce (slightly more) verbose output\n --version Print the ptcpdump and libpcap version strings and exit\n -w, --write-file string Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is '-'. e.g. ptcpdump.pcapng\n --write-keylog-file -- CMD [ARGS] Write TLS Key Log file to this path (experimental: only support unstripped Go binary and must combined with -- CMD [ARGS])\n\n```\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n## Compare with tcpdump\n\n| Options | tcpdump | ptcpdump |\n|---------------------------------------------------|---------|--------------------------|\n| *expression* | βœ… | βœ… |\n| -i *interface*, --interface=*interface* | βœ… | βœ… |\n| -w *x.pcapng* | βœ… | βœ… (with process info) |\n| -w *x.pcap* | βœ… | βœ… (without process info) |\n| -w *-* | βœ… | βœ… |\n| -r *x.pcapng*, -r *x.pcap* | βœ… | βœ… |\n| -r *-* | βœ… | βœ… |\n| --pid *process_id* | | βœ… |\n| --pname *process_name* | | βœ… |\n| --uid *user_id* | | βœ… |\n| --container-id *container_id* | | βœ… |\n| --container-name *container_name* | | βœ… |\n| --pod-name *pod_name.namespace* | | βœ… |\n| -f, --follow-forks | | βœ… |\n| -- *command [args]* | | βœ… |\n| --netns *path_to_net_ns* | | βœ… |\n| --print | βœ… | βœ… |\n| -A | βœ… | βœ… |\n| -B *bufer_size*, --buffer-size=*buffer_size* | βœ… | |\n| -c *count* | βœ… | βœ… |\n| --count | βœ… | βœ… |\n| -C *file_size | βœ… | βœ… |\n| -d | βœ… | |\n| -dd | βœ… | |\n| -ddd | βœ… | |\n| -D, --list-interfaces | βœ… | βœ… |\n| -e | βœ… | |\n| -f | βœ… | β›” |\n| -F *file* | βœ… | βœ… |\n| -G *rotate_seconds* | βœ… | |\n| -h, --help | βœ… | βœ… |\n| -H | βœ… | |\n| -I, --monitor-mode | βœ… | |\n| --immediate-mode | βœ… | |\n| -j *tstamp_type*, --time-stamp-type=*tstamp_type* | βœ… | |\n| --time-stamp-precision=*tstamp_precision* | βœ… | βœ… |\n| -J, --list-time-stamp-types | βœ… | |\n| --micro | βœ… | βœ… |\n| --nano | βœ… | βœ… |\n| -K, --dont-verify-checksums | βœ… | |\n| -l | βœ… | |\n| -L, --list-data-link-types | βœ… | |\n| -m *module* | βœ… | |\n| -M *secret* | βœ… | |\n| -n | βœ… | βœ… |\n| -N | βœ… | |\n| -#, --number | βœ… | βœ… |\n| -O, --no-optimize | βœ… | |\n| -p, --no-promiscuous-mode | βœ… | β›” |\n| -q | βœ… | βœ… |\n| -Q *direction*, --direction=*direction* | βœ… | βœ… |\n| -S, --absolute-tcp-sequence-numbers | βœ… | |\n| -s *snaplen*, --snapshot-length=*snaplen* | βœ… | βœ… |\n| -T *type* | βœ… | |\n| -t | βœ… | βœ… |\n| -tt | βœ… | βœ… |\n| -ttt | βœ… | βœ… |\n| -tttt | βœ… | βœ… |\n| -ttttt | βœ… | βœ… |\n| -u | βœ… | |\n| -U, --packet-buffered | βœ… | |\n| -y *datalinktype*, --linktype=*datalinktype* | βœ… | |\n| -v | βœ… | βœ… |\n| -vv | βœ… | β­• |\n| -vvv | βœ… | β­• |\n| -V *file* | βœ… | |\n| --version | βœ… | βœ… |\n| -W *filecont* | βœ… | βœ… |\n| -x | βœ… | βœ… |\n| -xx | βœ… | βœ… |\n| -X | βœ… | βœ… |\n| -XX | βœ… | βœ… |\n| -z *postrotate-command* | βœ… | |\n| -Z *user*, --relinquish-privileges=*user* | βœ… | |\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n\n\n\n## Developing\n\n\n### Dependencies\n\n* Go \u003e= 1.23\n* Clang/LLVM \u003e= 14\n* Bison \u003e= 3.8\n* Lex/Flex \u003e= 2.6\n* GCC\n* GNU make\n* autoconf\n\n\n### Building\n\n1. Build eBPF programs (optional):\n\n ```\n make build-bpf\n ```\n\n Or:\n\n ```\n make build-bpf-via-docker\n ```\n\n2. Build ptcpdump:\n\n ```\n make build\n ```\n\n Or:\n\n ```\n make build-via-docker\n ```\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#top\"\u003eπŸ”\u003c/a\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozillazg%2Fptcpdump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmozillazg%2Fptcpdump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozillazg%2Fptcpdump/lists"}