Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets by port in tcpdump command.
TCP and UDP Ports
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use a pair of endpoints as their fundamental communication.
We will take the following two protocols as examples.
(128.2.254.139, 1184) <=> (128.10.2.3, 53) UDP
(128.2.254.139, 2012) <=> (128.10.2.4, 22) TCP
53 is the default port for DNS. 22 is the default port for SSH.
Filter Packets with Specific Port
If we need to filter packets for the first connection, we can use the following ways.
tcpdupm -i interface port 1184tcpdupm -i interface port 53Filter Packets with Port Direction
To be more specific, we can add the port direction like this.( dst-> destination, src->source)
tcpdupm -i interface dst port 53tcpdupm -i interface src port 1184tcpdupm -i interface src port 1184 and dst port 53Filter Packets with Host and Port
If we need to filter packets for both two connections, we can use the following commands.
tcpdupm -i interface dst host 128.10.2.3 or dst host 128.10.2.4tcpdupm -i interface dst port 53 or dst port 22tcpdupm -i interface dst port 53 and dst host 128.10.2.3Filter Packets with TCP UDP Port
If we need to filter the packets for the first UDP protocol, we can use this command.
tcpdupm -i interface dst port 53 and udpFor the second TCP protocol, we can use this.
tcpdupm -i interface dst port 22 and tcpFilter Packets with Port Range
$ sudo tcpdump tcp and 'src portrange 1024-65535 and dst port 443'
$ sudo tcpdump tcp and "src portrange 1024-65535 and dst port 443"Tcpdump Cheat Sheet With Basic Advanced Examples
Filtering ICMP ICMPv6 Packets with Tcpdump
