Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets by port in tcpdump command.
TCP and UDP Ports
Our system uses ports to communicate with other devices on a network. Each port is associated with a specific function or service, and each device on a network has to have a unique port number assigned to it.
There are two types of ports: TCP and UDP. TCP ports are used for reliable communication, and UDP ports are used for unreliable communication.
TCP ports are used when you need to guarantee that the data will be received and processed successfully, while UDP ports are used when you don’t need to guarantee that the data will be received or processed successfully.
Some common TCP and UDP ports are:
TCP Ports:
80 (HTTP), 443 (HTTPS), 25 (SMTP), 110 (POP3), 143 (IMAP)
UDP Ports:
53 (DNS), 137 (NETBIOS), 161 (SNMP)
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use a pair of endpoints as their fundamental communication.We will take the following two protocols as examples.
(128.2.254.139, 1184) <=> (128.10.2.3, 53) UDP
(128.2.254.139, 2012) <=> (128.10.2.4, 22) TCP
53 is the default port for DNS. 22 is the default port for SSH.
Filter Packets with Specific Port in tcpdump
If you want to filter packets that are coming in or going out on a specific port, you can use the “tcpdump” tool. The “tcpdump” tool has the following syntax: tcpdump -i <interface> [port <port>]
The “-i” parameter specifies the network interface that you want to listen on. The “port” parameter specifies the port number that you want to filter on.
Here’s an example: tcpdump -i eth0 port 80
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and that are for port 80 (the HTTP port).
If we need to filter packets for the first connection above, we can use the following ways.
- tcpdump -i interface port 1184
- tcpdump -i interface port 53
Filter Packets with Port Direction in tcpdump
The “port” parameter in tcpdump specifies the port number that you want to filter on. The “src” parameter specifies the source IP address or hostname, and the “dst” parameter specifies the destination IP address or hostname.
Here’s an example: tcpdump -i eth0 src 192.168.0.100 and dst port 80
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface), that have a source IP address of 192.168.0.100, and that are destined for port 80
To be more specific, we can add the port direction like this.( dst-> destination, src->source)
- tcpdump -i interface dst port 53
- tcpdump -i interface src port 1184
- tcpdump -i interface src port 1184 and dst port 53
Filter Packets with Host and Port in tcpdump
The “host” parameter in tcpdump specifies the hostname or IP address that you want to filter on.
Here’s an example: tcpdump -i eth0 port 80 and src 192.168.0.100 and dst host www.howtouselinux.com
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface), that have a source IP address of 192.168.0.100, and that are destined for port 80 on the host www.howtouselinux.com
If we need to filter packets for both two connections, we can use the following commands.
- tcpdump -i interface dst host 128.10.2.3 or dst host 128.10.2.4
- tcpdump -i interface dst port 53 or dst port 22
- tcpdump -i interface dst port 53 and dst host 128.10.2.3
Filter Packets with TCP UDP Port in tcpdump
The “udp” parameter in tcpdump specifies that we want to capture packets that are using the UDP protocol.
Here’s an example: tcpdump -i eth0 udp port 53
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and that are using the UDP protocol.
If we want to filter the packets at the beginning of this article, we can use this command. tcpdump -i interface dst port 53 and udp
For the second example, we can use this. tcpdump -i interface dst port 22 and tcp
Filter Packets with Port Range in tcpdump
If you want to capture packets that are traveling to or from a specific port range, you can use the “portrange” parameter in tcpdump. The “portrange” parameter allows you to specify a range of port numbers, instead of just a single port number.
Here’s an example: tcpdump -i eth0 portrange 22-25 will capture all of the packets that are traveling through interface eth0 and that are destined for ports 22 through 25.
Reference:
