Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets with ports in tcpdump command.
TCP and UDP Ports
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use connection as their fundamental abstraction. Connections are identified by a pair of endpoints.
We will take the following two connections as examples.
(18.104.22.168, 1184) <=> (22.214.171.124, 53) tcp
(126.96.36.199, 2012) <=> (188.8.131.52, 22) udp
Filter Packets with Specific Port
If we need to filter packets for the first connection, we can use the following ways.
tcpdupm -i interface port 1184
tcpdupm -i interface port 53
Filter Packets with Port Direction
To be more specific, we can add the port direction like this.(dst-> destination, src->source)
tcpdupm -i interface dst port 53
tcpdupm -i interface src port 1184
tcpdupm -i interface src port 1184 and dst port 53
Filter Packets with Host and Port
If we need to filter packets for both two connections, we can use the following commands.
tcpdupm -i interface dst host 184.108.40.206 or dst host 220.127.116.11
tcpdupm -i interface dst port 53 or dst port 22
tcpdupm -i interface dst port 53 and dst host 18.104.22.168
Filter Packets with TCP UDP Port
If we need to filter the packets for the first TCP connection, we can use this command.
tcpdupm -i interface dst port 53 and tcp
For the second UDP connection, we can use this.
tcpdupm -i interface dst port 22 and UDP