Reset Search



KB44476 - How to use filters with tcpdump on PPS\PCS

« Go Back


Last Modified Date5/20/2020 1:52 PM
When tcpdump is used with no filters, it captures all traffic and produces a huge amount of output that can make it very difficult to find and analyze the packets you are most interested in.

Filters are one of the most powerful features of the tcpdump tool as they allow you to capture only those packets matching the filter. For example, when troubleshooting issues related to a web server you can use filters to capture only the HTTP traffic.

Our tcpdump feature uses the Berkeley Packet Filter (BPF) syntax to filter the packets using various matching parameters such as protocols, source and destination IP addresses, ports,and more.

In this article, we’ll take a look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.
Problem or Goal
1. Filtering by Protocol

To restrict the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic you would use...

Example: udp
Example: proto 17

Either example above will filter out all traffic except for udp.

List of IP Protocol numbers

2. Filtering by Host or network

To capture only packets related to a specific host. Host can be a name or IP address.

Example: host
Example: host

You can filter for a given IP range using net.

Example: net

3. Filtering by Source and Destination

The following command captures packets originating from a source. That could be a source IP or a source port.

src port 12345

This filter will capture traffic for a destination port or traffic destined for an IP. 
dst port 80
dst port

4. Filtering by Port or range of ports. These filters capture both UDP and TCP traffic for the given port number(s).

To limit a capture to only packets from or to a specific port, use the port qualifier.

Example: port 23     (source or destination)
Example: dst port 23 (destination port)
Example: src port 23 (source port)

To limit the capture to a range of ports use the portrange qualifier.

Example: dst portrange 110-150
Example: src portrange 110-150

List of TCP and UDP port numbers

5. Complex Filters

Filters can be combined using the following operators.


Capture all HTTP traffic from
src and tcp port 80

Capture all HTTP and HTTPS traffic to and from
host and (tcp port 80 or tcp port 443)

Capture all traffic from host except traffic with a destination of port 22
src and not dst port 22
Related Links
Attachment 1 
Created ByBrian Pimentel



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255