Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets by port in tcpdump command.
Table of Contents
TCP and UDP Ports
Our system uses ports to communicate with other devices on a network. Each port is associated with a specific function or service, and each device on a network has to have a unique port number assigned to it.
There are two types of ports: TCP and UDP. TCP ports are used for reliable communication, and UDP ports are used for unreliable communication.
TCP ports are used when you need to guarantee that the data will be received and processed successfully, while UDP ports are used when you don’t need to guarantee that the data will be received or processed successfully.
| Protocol | Port Number | Service |
|---|---|---|
| TCP | 80 | HTTP |
| TCP | 443 | HTTPS |
| TCP | 25 | SMTP |
| TCP | 110 | POP3 |
| TCP | 143 | IMAP |
| UDP | 53 | DNS |
| UDP | 137 | NETBIOS |
| UDP | 161 | SNMP |
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use a pair of endpoints as their fundamental communication.We will take the following two protocols as examples.
(128.2.254.139, 1184) <=> (128.10.2.3, 53) UDP
(128.2.254.139, 2012) <=> (128.10.2.4, 22) TCP
53 is the default port for DNS. 22 is the default port for SSH.
Filter Packets with Specific Port in tcpdump
If you want to filter packets that are coming in or going out on a specific port, you can use the “tcpdump” tool. The “tcpdump” tool has the following syntax:
tcpdump -i <interface> [port <port>]
The “-i” parameter specifies the network interface that you want to listen on. The “port” parameter specifies the port number that you want to filter on.
Here’s an example:
tcpdump -i eth0 port 80
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and for port 80 (the HTTP port).
If we need to filter packets for the first connection above, we can use the following ways.
- tcpdump -i interface port 1184
- tcpdump -i interface port 53
Filter Packets with source port or destination port in tcpdump
The “port” parameter in tcpdump specifies the port number that you want to filter on. The “src” parameter specifies the source , and the “dst” parameter specifies the destination.
Here’s an example:
tcpdump -i eth0 dst port 80
This command will capture all of the packets that are traveling through interface eth0 and the destined port is 80.
To be more specific, we can add the port direction like this.( dst = destination, src = source)
- tcpdump -i interface dst port 53
- tcpdump -i interface src port 1184
- tcpdump -i interface src port 1184 and dst port 53
Filter Packets with Host and Port in tcpdump
The “host” parameter in tcpdump specifies the hostname or IP address that you want to filter on.
Here’s an example:
tcpdump -i eth0 port 80 and src 192.168.0.100 and dst host www.howtouselinux.com
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface), that have a source IP address of 192.168.0.100, and that are destined for port 80 on the host www.howtouselinux.com
If we need to filter packets for both two connections, we can use the following commands.
- tcpdump -i interface dst host 128.10.2.3 or dst host 128.10.2.4
- tcpdump -i interface dst port 53 or dst port 22
- tcpdump -i interface dst port 53 and dst host 128.10.2.3
Filter Packets with TCP UDP Port in tcpdump
The “udp” parameter in tcpdump specifies that we want to capture packets that are using the UDP protocol.
Here’s an example:
tcpdump -i eth0 udp port 53
This command will capture all of the packets that are traveling through interface eth0 (the first Ethernet interface) and that are using the UDP protocol.
If we want to filter the packets at the beginning of this article, we can use this command.
tcpdump -i interface dst port 53 and udp
For the second example, we can use this.
tcpdump -i interface dst port 22 and tcp
Filter Packets with Port Range in tcpdump
If you want to capture packets that are traveling to or from a specific port range, you can use the “portrange” parameter in tcpdump. The “portrange” parameter allows you to specify a range of port numbers, instead of just a single port number.
Here’s an example:
tcpdump -i eth0 portrange 22-25
It will capture all of the packets that are traveling through interface eth0 and that are destined for ports 22 through 25.
| Option | Description |
|---|---|
| -i | Listen on the specified interface. |
| -n | Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names. |
| -t | Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output. |
| -X | Show the packet’s contents in both hex and ascii. |
| -v, -vv, -vvv | enables verbose logging/details (which among other things will give us a running total on how many packets are captured |
| -c N | Only get N number of packets and then stop. |
| -s | Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. |
| -S | Print absolute sequence numbers. |
| -q | Show less protocol information. |
| -w | Write the raw packets to file |
| -C file_size(M) | tells tcpdump to store up to x MB of packet data per file. |
| -G rotate_seconds | Create a new file every time the specified number of seconds has elapsed. |
Reference: