Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets with ports in tcpdump command.
TCP and UDP Ports
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use connection as their fundamental abstraction. Connections are identified by a pair of endpoints.
We will take the following two connections as examples.
(128.2.254.139, 1184) <=> (128.10.2.3, 53) tcp
(128.2.254.139, 2012) <=> (128.10.2.4, 22) udp
Filter Packets with Specific Port
If we need to filter packets for the first connection, we can use the following ways.
tcpdupm -i interface port 1184tcpdupm -i interface port 53Filter Packets with Port Direction
To be more specific, we can add the port direction like this.(dst-> destination, src->source)
tcpdupm -i interface dst port 53tcpdupm -i interface src port 1184tcpdupm -i interface src port 1184 and dst port 53Filter Packets with Host and Port
If we need to filter packets for both two connections, we can use the following commands.
tcpdupm -i interface dst host 128.10.2.3 or dst host 128.10.2.4tcpdupm -i interface dst port 53 or dst port 22tcpdupm -i interface dst port 53 and dst host 128.10.2.3Filter Packets with TCP UDP Port
If we need to filter the packets for the first TCP connection, we can use this command.
tcpdupm -i interface dst port 53 and tcpFor the second UDP connection, we can use this.
tcpdupm -i interface dst port 22 and UDP