Reset Search
 

 
Article

KB44476 - How to use filters with tcpdump on PPS\PCS

Printable View
« Go Back

Information

 
Last Modified Date5/20/2020 1:52 PM
Synopsis
When tcpdump is used with no filters, it captures all traffic and produces a huge amount of output that can make it very difficult to find and analyze the packets you are most interested in.

Filters are one of the most powerful features of the tcpdump tool as they allow you to capture only those packets matching the filter. For example, when troubleshooting issues related to a web server you can use filters to capture only the HTTP traffic.

Our tcpdump feature uses the Berkeley Packet Filter (BPF) syntax to filter the packets using various matching parameters such as protocols, source and destination IP addresses, ports,and more.

In this article, we’ll take a look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.
 
Problem or Goal
Cause
Solution
1. Filtering by Protocol

To restrict the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic you would use...

Example: udp
or
Example: proto 17

Either example above will filter out all traffic except for udp.

List of IP Protocol numbers


2. Filtering by Host or network

To capture only packets related to a specific host. Host can be a name or IP address.

Example: host 192.168.1.185
Example: host Lab-PPS.TestDomain.com


You can filter for a given IP range using net.

Example: net 10.10.0.0/16


3. Filtering by Source and Destination

The following command captures packets originating from a source. That could be a source IP or a source port.

Example:
src  192.168.1.185
src port 12345

This filter will capture traffic for a destination port or traffic destined for an IP. 
dst port 80
dst port 192.168.1.185



4. Filtering by Port or range of ports. These filters capture both UDP and TCP traffic for the given port number(s).

To limit a capture to only packets from or to a specific port, use the port qualifier.

Example: port 23     (source or destination)
Example: dst port 23 (destination port)
Example: src port 23 (source port)

To limit the capture to a range of ports use the portrange qualifier.

Example: dst portrange 110-150
Example: src portrange 110-150

List of TCP and UDP port numbers


5. Complex Filters

Filters can be combined using the following operators.
and
or
not

Examples:

Capture all HTTP traffic from 192.168.1.185
src 192.168.1.185 and tcp port 80

Capture all HTTP and HTTPS traffic to and from 192.168.1.185
host 192.168.1.185 and (tcp port 80 or tcp port 443)

Capture all traffic from host 192.168.1.185 except traffic with a destination of port 22
src 192.168.1.185 and not dst port 22
 
Related Links
Attachment 1 
Created ByBrian Pimentel

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255