Tcpdump is a CLI tool to capture raw network packets. It is very useful for various forms of network troubleshooting. We will learn how to filter packets by port in tcpdump command.
TCP and UDP Ports
TCP and UDP can both multiplex using port numbers to work with multiple applications. For example, DHCP uses UDP ports 67 and 68, RIP uses UDP port 520, and HTTP uses TCP port 80.
Both Tcp and UDP use a pair of endpoints as their fundamental communication.
We will take the following two protocols as examples.
(128.2.254.139, 1184) <=> (128.10.2.3, 53) UDP
(128.2.254.139, 2012) <=> (128.10.2.4, 22) TCP
53 is the default port for DNS. 22 is the default port for SSH.
Filter Packets with Specific Port
If we need to filter packets for the first connection, we can use the following ways.
tcpdupm -i interface port 1184
tcpdupm -i interface port 53
Filter Packets with Port Direction
To be more specific, we can add the port direction like this.( dst-> destination, src->source)
tcpdupm -i interface dst port 53
tcpdupm -i interface src port 1184
tcpdupm -i interface src port 1184 and dst port 53
Filter Packets with Host and Port
If we need to filter packets for both two connections, we can use the following commands.
tcpdupm -i interface dst host 128.10.2.3 or dst host 128.10.2.4
tcpdupm -i interface dst port 53 or dst port 22
tcpdupm -i interface dst port 53 and dst host 128.10.2.3
Filter Packets with TCP UDP Port
If we need to filter the packets for the first UDP protocol, we can use this command.
tcpdupm -i interface dst port 53 and udp
For the second TCP protocol, we can use this.
tcpdupm -i interface dst port 22 and tcp
Filter Packets with Port Range
$ sudo tcpdump tcp and ‘src portrange 1024-65535 and dst port 443′
$ sudo tcpdump tcp and “src portrange 1024-65535 and dst port 443″