0

This seems to show up only with -e and for me only on my VPN interface, e.g.:

> sudo tcpdump -enn -i utun1
...
11:35:22.440690 AF IPv4 (2), length 32: 1.2.3.4.1234 > 1.2.3.5.1234: [|domain]

Edit: Testing with Wireshark, it seems that VPN interfaces lack an Ethernet header. It's still not clear to me what "AF" is supposed to mean though, but it seems to be standing in for where the link layer addresses would usually go.

jtpereyda
  • 188
  • 1
  • 6
  • 2
    Address Family. https://stackoverflow.com/questions/4976897/what-is-address-family – ceejayoz Mar 05 '19 at 19:43
  • @ceejayoz Thanks for the link. I'm still unclear as to what tcpdump means to communicate by inserting "AF" into its output. – jtpereyda Mar 05 '19 at 19:58

1 Answers1

1

In your case the "AF" string is just the field name. The actual value of the address family follows next. If you are interested in more details, you can look into the source code.

Pang
  • 273
  • 3
  • 8
Anton Danilov
  • 5,082
  • 2
  • 13
  • 23