- Preface¶
- Main changes¶
- Prefer using BPF ringbuf instead of BPF perfbuf¶
- Fix the issue where packet filtering by process failed when using the cgroup-skb backend¶
- Support reading PcapNG format data from standard input¶
- Support file rotation using -C and -W options¶
- Support reading pcap filter expressions from a file using -F/--expression-file¶
- Support specifying output time format using -tt, -ttt, -tttt, -ttttt¶
- Support using system-installed libpcap via dynamic linking¶
- Fix the issue where using -s 0 caused the program to crash¶
- Fix the issue of inaccurate timestamps in terminal output¶
- Experimental support for armv7 CPU architecture¶
- Add tp-btf backend¶
- Add socket-filter backend¶
- Display inode ID in cross-network namespace results¶
- Add IP Options information to -v output¶
- Add output for HTTP information¶
- Add output for TLS information¶
- Add support for capturing on L3 network interface devices¶
- Change to display TCP sequence numbers as relative numbers by default¶
Preface¶
This article introduces the main changes in ptcpdump from v0.33 (after v0.32 ) to the latest v0.37, in chronological order.
Main changes¶
Prefer using BPF ringbuf instead of BPF perfbuf¶
If the Linux kernel on the current system supports BPF ringbuf, ptcpdump will prioritize using BPF ringbuf to optimize program performance. For more information about BPF ringbuf, please refer to BPF ring buffer .
Fix the issue where packet filtering by process failed when using the cgroup-skb backend¶
Fixed an issue in previous versions where the features corresponding to the --pid or --pname parameters failed when the cgroup-skb backend was specified via --backend=cgroup-skb.
Support reading PcapNG format data from standard input¶
It now supports reading PcapNG format data from standard input using -r -:
$ cat data.pcapng | ptcpdump -r - $ ptcpdump -r - < data.pcapng
Support file rotation using -C and -W options¶
It now supports file rotation when saving data to a file using -w, by using the -C or -W options:
sudo ptcpdump -i any -w data.pcapng -C 1mb sudo ptcpdump -i any -w data.pcapng -C 1mb -W 5
Where:
- -C specifies the maximum file size. When this size is exceeded, a number will be appended to the old filename (e.g., data.pcapng1) to save historical data.
- -W specifies the number of files to keep. It must be used with -C to limit the number of files.
Support reading pcap filter expressions from a file using -F/--expression-file¶
It now supports reading pcap filter expressions from a file using the -F or --expression-file option:
sudo ptcpdump -i any -c 10 -F filter.txt sudo ptcpdump -i any -c 10 --expression-file filter.txt
Support specifying output time format using -tt, -ttt, -tttt, -ttttt¶
It now supports using -tt, -ttt, -tttt, and -ttttt to specify the time format when outputting packet information.
- -tt : Displays timestamp format, e.g., 1764417816.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > xx.xx.xx.xx.64755:...
- -ttt : Displays the time interval between two records, e.g., 00:00:00.000265 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > xx.xx.xx.xx.64755:...
- -tttt : Displays date and time, e.g., 2025-11-29 20:03:36.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > xx.xx.xx.xx.64755:...
- -ttttt : Displays the time interval since the first record, e.g., 00:00:00.002708 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > xx.xx.xx.xx.64755:...
Support using system-installed libpcap via dynamic linking¶
Previous versions only supported compiling the dependent libpcap library via static linking. It now supports using the system-installed libpcap library via dynamic linking to meet the needs of simplified system library management.
You can use the dynamic link library through either of the following compilation methods:
$ CGO_ENABLED=1 go build -tags dynamic $ make build-dynamic-link
Fix the issue where using -s 0 caused the program to crash¶
In previous versions, using the -s 0 option caused the ptcpdump program to crash. This issue is now fixed.
Fix the issue of inaccurate timestamps in terminal output¶
In previous versions, the timestamps of packet information in the terminal output drifted further from the actual event time over time. This issue is now fixed.
Experimental support for armv7 CPU architecture¶
Experimental support for the armv7 CPU architecture has been added in the new version. Since there is no CI environment supporting the armv7 architecture, this is only experimental support, and compatibility in future versions cannot be guaranteed. If a version no longer supports armv7, feedback is welcome.
Add tp-btf backend¶
A new backend tp-btf has been added. When this backend is used, ptcpdump uses BPF_PROG_TYPE_TRACING eBPF programs to capture packets. The main difference from the tc backend is that tp-btf captures data from all network namespaces by default, while the tc backend defaults to capturing data only from the current network namespace (use --netns to specify a specific network namespace). For differences between backends, see Backend .
You can use the new tp-btf backend via --backend tp-btf.
Add socket-filter backend¶
Another new backend socket-filter has been added. When this backend is used, ptcpdump uses BPF_PROG_TYPE_SOCKET_FILTER eBPF programs to capture packets. When using this backend, the output of ptcpdump is closer to the output of tcpdump because the packet capture timing is more similar. For differences between backends, see Backend .
You can use the new socket-filter backend via --backend socket-filter.
Display inode ID in cross-network namespace results¶
Starting from the new version, when the output contains data from a non-current network namespace, the program will attempt to display the inode ID of that network namespace when showing network interface information:
12:20:31.336316 eth0@4026533097 curl.405939 Out IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653] 12:20:31.336382 veth1d387b0 curl.405939 In IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653]
Add IP Options information to -v output¶
The new version will output IP Options information when using the -v option for details:
09:48:31.908813 IP (tos 0x0, ttl 64, id 39183, offset 0, flags [none], proto TCP (6), length 80, options (RR 1.2.3.4, 1.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0,EOL))
${IP}.1373 > 1.1.1.1.80: Flags [S], cksum 0xbfb4, seq 122218745, win 512, length 0
Add output for HTTP information¶
If a packet contains HTTP data, the new version will output basic HTTP information by default:
13:27:02.285015 IP ${IP}.57166 > ${IP}.80: Flags [P.], ..., length 73: HTTP: GET / HTTP/1.1
13:27:02.516911 IP ${IP}.80 > ${IP}.57166: Flags [P.], ..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
If -v is used for detailed output, detailed HTTP information will be included:
13:27:02.285015 IP (tos 0x0, ttl 64, id 8683, offset 0, flags [DF], proto TCP (6), length 113)
..., length 73: HTTP: GET / HTTP/1.1
GET / HTTP/1.1
Host: kernel.org
User-Agent: curl/8.5.0
Accept: */*
13:27:02.516911 IP (tos 0x0, ttl 128, id 62994, offset 0, flags [none], proto TCP (6), length 389)
..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 05 Jul 2025 13:27:02 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://kernel.org/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
Add output for TLS information¶
If a packet contains TLS data, the new version will output TLS Client Hello or Server Hello information by default:
13:48:40.371849 IP ${IP}.47812 > ${IP}.443: Flags [P.], ..., length 517: TLSv1.0: Client Hello (SNI=kernel.org)
13:48:40.606677 IP ${IP}.443 > ${IP}.47812: Flags [P.], ..., length 1412: TLSv1.3: Server Hello
Add support for capturing on L3 network interface devices¶
Previous versions only supported capturing on L2 network interface devices. The new version adds support for L3 network interfaces (such as TUN devices).
Change to display TCP sequence numbers as relative numbers by default¶
In previous versions, raw TCP sequence numbers were displayed by default, which was hard to read:
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], seq 1966040526, ack 1457857369, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857369:1457857593, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
The new version displays TCP sequence numbers as relative numbers by default:
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], ack 224, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 224:448, ack 0, win 65535, length 224, ParentProc [sshd.16678]
It also adds the -S and --absolute-tcp-sequence-numbers options to switch back to displaying raw numbers.
If you have any additional improvements or new feature suggestions for ptcpdump, feel free to leave a comment in the comments section or project issues.
Comments