Tcpdump with no filters will produce so much output that it will prove very difficult to find traffic of interest. There are numerous filtering expressions available that limit the traffic displayed or captured.
- Host filters
- Network filters
- Port filters
- Protocol filters
- Negating a filter match
- Combining filters
Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.
|-i||Listen on the specified interface.|
|-n||Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.|
|-t||Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.|
|-X||Show the packet’s contents in both hex and ascii.|
|-v, -vv, -vvv||enables verbose logging/details (which among other things will give us a running total on how many packets are captured|
|-c N||Only get N number of packets and then stop.|
|-s||Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.|
|-S||Print absolute sequence numbers.|
|-q||Show less protocol information.|
|-w||Write the raw packets to file|
|-C file_size(M)||tells tcpdump to store up to x MB of packet data per file.|
|-G rotate_seconds||Create a new file every time the specified number of seconds has elapsed.|
To filter for a specific host, append host and the IP address to the tcpdump command. To filter for host 192.168.1.100 use the following command:
# tcpdump -ni igb1 host 192.168.1.100
That will capture all traffic to and from that host. To only capture traffic being initiated by that host, use the src directive:
# tcpdump -ni igb1 src host 192.168.1.100
Similarly, filtering for traffic destined to that IP address is possible by specifying dst:
# tcpdump -ni igb1 dst host 192.168.1.100
Network filters narrow the capture to a specific subnet using the net expression. Following net, specify a dotted quad ( 192.168.1.1), dotted triple ( 192.168.1), dotted pair (192.168) or simply a number ( 192).
A dotted quad is equivalent to specifying host, a dotted triple uses a subnet mask of 255.255.255.0, a dotted pair uses 255.255.0.0, and a number alone uses 255.0.0.0.
The following command displays traffic to or from any host with a 192.168.1.x IP address:
# tcpdump -ni igb1 net 192.168.1
The next command will capture traffic to or from any host with a 10.x.x.x IP address:
# tcpdump -ni igb1 net 10
Those examples will capture all traffic to or from the specified network. The src or dst keywords may be used the same as with host filters to capture only traffic initiated by or destined to the specified network:
# tcpdump -ni igb1 src net 10
A CIDR mask can also be passed as an argument to net:
# tcpdump -ni igb1 src net 172.16.0.0/12
Narrowing down by host or network frequently isn’t adequate to eliminate unnecessary traffic from a capture. Or the source or destination of traffic may not be significant, and all traffic of a certain type should be captured. In other cases, filtering out all traffic of a specific type can reduce noise.
To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.
Capture all HTTP traffic
# tcpdump -ni igb1 tcp port 80
Capture all DNS traffic (usually UDP, but some queries use TCP):
# tcpdump -ni igb1 port 53
Specific protocols can be filtered using the proto directive or by using the protocol name directly.
The following capture will show all ICMP traffic on the igb1 interface:
# tcpdump -ni igb1 icmp
Negating a filter match
In addition to matching specific parameters, a filter match can be negated by specifying not in front of the filter expression. When troubleshooting something other than icmp, exclude it as follows:
# tcpdump -ni igb1 not icmp
Any of the aforementioned filters can be combined using and or or. The following sections provide some examples.
Display all HTTP traffic to and from a host and Display all HTTP traffic to or from 192.168.1.11:
# tcpdump -ni igb1 host 192.168.1.11 and tcp port 80
Display all HTTP traffic to and from multiple hosts and Display all HTTP traffic from either 192.168.1.11 or 192.168.1.15:
# tcpdump -ni igb1 host 192.168.1.11 or host 192.168.1.15 and tcp port 80
Filter expression usage
Filter expressions must come after every command-line flag used. Adding any flags after a filter expression will result in a syntax error.
- Incorrect ordering
- # tcpdump -ni igb1 -T carp carp -c 2
- tcpdump: syntax error
- Correct ordering
- # tcpdump -ni igb1 -T carp -c 2 carp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:50:07.426993 IP 198.51.100.12 > 188.8.131.52: CARPv2-advertise 36: vhid=11 advbase=1 advskew=0 authlen=7 counter=5449924379588860810
14:50:08.436849 IP 198.51.100.12 > 184.108.40.206: CARPv2-advertise 36: vhid=11 advbase=1 advskew=0 authlen=7 counter=5449924379588860810
2 packets captured
78 packets received by filter
0 packets dropped by kernel