384 Chapter 9 · DIY Malware Analysis Typical tcpdump and windump command line options are discussed here. For the complete manual on tcpdump, please refer to the man pages found at www.rt.com/man/ tcpdump.1.html. We've presented the most common command-line options and expressions below. Results of Running windump at the Command Line to Show Proper Syntax Formatting windump version 3.9.5, based on tcpdump version 3.9.5 WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on libpcap version 0.9[.x] Usage: windump [-aAdDeflLnNOpqRStuUvxX] [ -B size ] [-c count] [ -C file_size ][ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ] Here is a listing of tcpdump and windump common options and expressions -? List command line syntax options (see Figure 9.17). -c End capture after capturing [count] number of packets. -i Listen for packets on [interface]. Default is to use the lowest numbered interface.