Tcpdump Packet Filtering

Using advanced filtering options allows us to reduce the amount of traffic printed to output or written to disk, thereby saving space and speeding up data processing. Filters can be paired with standard tcpdump syntax to capture broadly or narrow down to specific hosts or TCP flags. Advanced filters enable tailored captures.

Helpful Tcpdump Filters

Filter

Result

host

Filters visible traffic to show anything involving the designated host (bi-directional).

src/dest

Designate source or destination host or port.

net

Filters traffic from or to the specified network using / notation.

proto

Filters for a specific protocol (e.g., ether, TCP, UDP, ICMP).

port

Filters any traffic with the specified port as source or destination.

portrange

Allows filtering by port range (e.g., 0-1024).

less/greater

Filters packets based on size.

and/&&

Combines filters, showing packets that meet both conditions.

or

Matches any of two conditions.

not

Negates a condition, e.g., not UDP shows non-UDP traffic.

Examples of Common Filters

Host Filter
```
sudo tcpdump -i eth0 host 172.16.146.2
```

Source/Destination Filter

sudo tcpdump -i eth0 src host 172.16.146.2

Source Port Filter
```
sudo tcpdump -i eth0 tcp src port 80
```

Destination Net Filter

sudo tcpdump -i eth0 dest net 172.16.146.0/24

Protocol Filter by Name
```
sudo tcpdump -i eth0 udp
```
Protocol Filter by Number
```
sudo tcpdump -i eth0 proto 17
```
Port Filter
```
sudo tcpdump -i eth0 tcp port 443
```
Port Range Filter
```
sudo tcpdump -i eth0 portrange 0-1024
```
Less/Greater Filter
```
sudo tcpdump -i eth0 less 64
```
Greater Filter for Packets Over 500 Bytes
```
sudo tcpdump -i eth0 greater 500
```

Combining Filters with `AND` and `OR`

AND Filter Example

sudo tcpdump -i eth0 host 192.168.0.1 and port 23

OR Filter Example

sudo tcpdump -r sus.pcap icmp or host 172.16.146.1

NOT Filter Example
```
sudo tcpdump -r sus.pcap not icmp
```

Pre-Capture vs. Post-Capture Processing

Applying filters during capture omits unmatched traffic, reducing data volume but risking the loss of potentially valuable information. Filtering during post-capture analysis parses the capture file, displaying only packets that meet the filter criteria without altering the original file.

Interpreting Tips and Tricks

Absolute Sequence Numbers: Use -S to display them for detailed tracking.
Verbose Output: Use -v, -X, and -e for capturing more data.
Selective Display: Options like -c, -n, -s, -S, and -q help modify displayed data.
ASCII Display: Use -A to show only ASCII text, useful for human-readable output.

ASCII Mode with `-A`

sudo tcpdump -Ar telnet.pcap

Piping Output to Grep

sudo tcpdump -Ar http.cap -l | grep 'mailto:*'

This method filters output to quickly search for specific terms or patterns within the capture.

Advanced Packet Filtering Using TCP Flags

tcpdump -i eth0 'tcp[13] &2 != 0'

This command checks if the SYN flag in the TCP header is set.

Protocol RFC Links

Protocol

RFC

IP Protocol

ICMP Protocol

TCP Protocol

UDP Protocol

RFC Quick Links

PreviousTcpdump Fundamentals NextInterrogating Network Traffic With Capture and Display Filters

Last updated 3 months ago

hashtagHelpful Tcpdump Filters

hashtagExamples of Common Filters

hashtagCombining Filters with AND and OR

hashtagPre-Capture vs. Post-Capture Processing

hashtagInterpreting Tips and Tricks

hashtagASCII Mode with -A

hashtagPiping Output to Grep

hashtagAdvanced Packet Filtering Using TCP Flags

hashtagProtocol RFC Links