howtouselinux

Tcpdump: Filter Packets By Port

Table of Contents

Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets by port in tcpdump command.

TCP and UDP Ports

Our system uses ports to communicate with other devices on a network. Each port is associated with a specific function or service, and each device on a network has to have a unique port number assigned to it.

There are two types of ports: TCP and UDP. TCP ports are used for reliable communication, and UDP ports are used for unreliable communication.

TCP ports are used when you need to guarantee that the data will be received and processed successfully, while UDP ports are used when you don’t need to guarantee that the data will be received or processed successfully.

Some common TCP and UDP ports are:

TCP Ports:

80 (HTTP), 443 (HTTPS), 25 (SMTP), 110 (POP3), 143 (IMAP)

UDP Ports:

53 (DNS), 137 (NETBIOS), 161 (SNMP)

TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.

Both Tcp and UDP use a pair of endpoints as their fundamental communication.We will take the following two protocols as examples.

(128.2.254.139, 1184) <=> (128.10.2.3, 53) UDP
(128.2.254.139, 2012) <=> (128.10.2.4, 22) TCP

53 is the default port for DNS. 22 is the default port for SSH.

Filter Packets with Specific Port in tcpdump

If you want to filter packets that are coming in or going out on a specific port, you can use the “tcpdump” tool. The “tcpdump” tool has the following syntax: tcpdump -i <interface> [port <port>]

The “-i” parameter specifies the network interface that you want to listen on. The “port” parameter specifies the port number that you want to filter on.

Here’s an example: tcpdump -i eth0 port 80

This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and that are for port 80 (the HTTP port).

If we need to filter packets for the first connection above, we can use the following ways.

  • tcpdump -i interface port 1184
  • tcpdump -i interface port 53

 

Filter Packets with Port Direction in tcpdump

The “port” parameter in tcpdump specifies the port number that you want to filter on. The “src” parameter specifies the source IP address or hostname, and the “dst” parameter specifies the destination IP address or hostname.

Here’s an example: tcpdump -i eth0 src 192.168.0.100 and dst port 80

This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface), that have a source IP address of 192.168.0.100, and that are destined for port 80

To be more specific, we can add the port direction like this.( dst-> destination, src->source)

  • tcpdump -i interface dst port 53
  • tcpdump -i interface src port 1184
  • tcpdump -i interface src port 1184 and dst port 53

 

Filter Packets with Host and Port in tcpdump

The “host” parameter in tcpdump specifies the hostname or IP address that you want to filter on.

Here’s an example: tcpdump -i eth0 port 80 and src 192.168.0.100 and dst host www.howtouselinux.com

This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface), that have a source IP address of 192.168.0.100, and that are destined for port 80 on the host www.howtouselinux.com

If we need to filter packets for both two connections, we can use the following commands.

  • tcpdump -i interface dst host 128.10.2.3 or dst host 128.10.2.4
  • tcpdump -i interface dst port 53 or dst port 22
  • tcpdump -i interface dst port 53 and dst host 128.10.2.3

 

Filter Packets with TCP UDP Port in tcpdump

The “udp” parameter in tcpdump specifies that we want to capture packets that are using the UDP protocol.

Here’s an example: tcpdump -i eth0  udp port 53

This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and that are using the UDP protocol.

If we want to filter the packets at the beginning of this article, we can use this command. tcpdump -i interface dst port 53 and udp

For the second example, we can use this. tcpdump -i interface dst port 22 and tcp

Filter Packets with Port Range in tcpdump

If you want to capture packets that are traveling to or from a specific port range, you can use the “portrange” parameter in tcpdump. The “portrange” parameter allows you to specify a range of port numbers, instead of just a single port number.

Here’s an example: tcpdump -i eth0 portrange 22-25 will capture all of the packets that are traveling through interface eth0 and that are destined for ports 22 through 25.

 

 

Reference:

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.