Tcpdump output file is not storing the destination IP address and port number

Question

I'm capturing tcpdump packets. Even though, when I want to see the output by tcpdump -r I see destination hostname instead of address IP and service name instead of port number.

Example:

tcpdump -w /home/backup/out.bin -nn -i ens192 '(dst port 80)'

After a minute Ctrl + C to stop the process

Then:

tcpdump -r /home/backup/out.bin

It shows:

12:01:28.079940 IP 192.168.1.20.50704 > app.server.http: Flags [.], ack 4196894497, win 229, options [nop,nop,TS val 875454090 ecr 3736039484], length 0
12:01:28.080841 IP 192.168.1.20.50704 > app.server.http: Flags [.], ack 93, win 229, options [nop,nop,TS val 875454091 ecr 3736039485], length 0
12:01:28.080863 IP 192.168.1.20.50704 > app.server.http: Flags [P.], seq 0:95, ack 93, win 229, options [nop,nop,TS val 875454091 ecr 3736039485], length 95

It should show the IP address and port number instead of app.server.http.

What can I do for this case?

score 2 · Accepted Answer · answered Nov 24 '22 at 19:18

The captured data itself does contain the IP addresses and port numbers. However, tcpdump does reverse lookups for IP addresses and port numbers during display. One can use -n to disable reverse lookups.

So, you should use

tcpdump -n -r /home/backup/out.bin

to display the capture.

Tcpdump output file is not storing the destination IP address and port number

1 Answers1