Tcpdump/ Wireshark Capture Filters
tcpdump -nnvi eth0 -s 200 -c 1000 host 172.18.5.4 and port 22 -w /var/tmp/test.pcap
These filters specifies what packets to be capured:
Examples
Capture only traffic to or from IP address 172.18.5.4:
Capture traffic to or from a range of IP addresses:
or
- net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
or
- src net 192.168.0.0 mask 255.255.255.0
Capture traffic to a range of IP addresses:
or
- dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
Capture except all ARP and DNS traffic:
Capture traffic within a range of ports
- (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
Capture only Ethernet type EAPOL:
Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:
- not ether dst 01:80:c2:00:00:0e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:
- not broadcast and not multicast
Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:
Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the
tcpdump-workers mailing list.
- port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
Full list can be found here:
Wireshark Search/Display Filters
These filters are used to filter what is displayed from the captured packets.
Display Filter comparison operators
English
|
C-like
|
Description and example
|
eq
|
==
|
Equal. ip.src==10.0.0.5
|
ne
|
!=
|
Not equal. ip.src!=10.0.0.5
|
gt
|
>
|
Greater than. frame.len > 10
|
lt
|
<
|
Less than. frame.len < 128
|
ge
|
>=
|
Greater than or equal to. frame.len ge 0x100
|
le
|
<=
|
Less than or equal to. frame.len <= 0x20
|
Display Filter Logical Operations
English
|
C-like
|
Description and example
|
and
|
&&
|
Logical AND. ip.src==10.0.0.5 and tcp.flags.fin
|
or
|
||
|
Logical OR. ip.scr==10.0.0.5 or ip.src==192.1.1.1
|
xor
|
^^
|
Logical XOR. tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
|
not
|
!
|
Logical NOT. not llc
|
[…]
|
|
Substring Operator. Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [] containing a comma separated list of range specifiers. ---- eth.src[0:3] == 00:00:83 ---- The example above uses the n:m format to specify a single range. In this case n is the beginning offset and m is the length of the range being specified. ---- eth.src[1-2] == 00:83 ---- The example above uses the n-m format to specify a single range. In this case n is the beginning offset and m is the ending offset. ---- eth.src[:4] == 00:00:83:00 ---- The example above uses the :m format, which takes everything from the beginning of a sequence to offset m. It is equivalent to 0:m ---- eth.src[4:] == 20:20 ---- The example above uses the n: format, which takes everything from offset n to the end of the sequence. ---- eth.src[2] == 83 ---- The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent to n:1. ---- eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83 ---- Wireshark allows you to string together single ranges in a comma separated list to form compound ranges as shown above.
|
Examples
Show only
SMTP (port 25) and
ICMP traffic:
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Some
filter fields match against multiple
protocol fields. For example, "ip.addr" matches against both the
IP source and destination addresses in the IP header. The same is true for "tcp.port", "udp.port", "eth.addr", and others. It's important to note that
- ip.addr == 10.43.54.65
is equivalent to
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the
Ethernet page for details. Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:
It is also possible to search for characters appearing anywhere in a field or protocol by using the matches operator.
Match packets that contains the 3-byte sequence 0x81, 0x60, 0x03 anywhere in the UDP header or payload:
Match HTTP requests where the last characters in the uri are the characters "gl=se":
- http.request.uri matches "gl=se$"
More:
