A basic filter is to specify which protocol you want to capture. As an example, I could
choose to capture only TCP or UDP packets. I might also say I want to capture only
IP or other protocols. In
Example 2-12
, you can see a capture of ICMP-only packets.
You will notice that in order to apply a filter, I just put it on the end of the command
line. What results is the display of only ICMP packets. Everything still comes into the
interface and is sent up to
tcpdump
, but it then determines what to display or write
out to a file, if that’s what you are doing.
Example 2-12. tcpdump using BPF
root@rosebud:~# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv
for
full protocol decode
listening on eth0, link-type EN10MB
(
Ethernet
)
, capture size
262144
bytes
12:01:14.602895 IP binkley.lan > rosebud.lan: ICMP
echo
request, id 8203, seq 0,
length 64
12:01:14.602952 IP rosebud.lan > binkley.lan: ICMP
echo
reply, id 8203, seq 0,
length 64
12:01:15.604118 IP binkley.lan > rosebud.lan: ICMP
echo
request, id 8203, seq 1,
length 64
12:01:15.604171 IP rosebud.lan > binkley.lan: ICMP
echo
reply, id 8203, seq 1,
length 64
12:01:16.604295 IP binkley.lan > rosebud.lan: ICMP
echo
request, id 8203, seq 2,
length 64
One thing I can do with these filters is use Boolean logic; I can use logic operators to
be able to develop complex filters. Let’s say, for instance, that I want to capture web
traffic. One way I could do that would be to say
tcp and port 80
: I am grabbing all
TCP packets that have the port as 80. You’ll notice that I don’t mention source or des‐
tination with respect to the port number. I certainly can. I could use src port 80 or dst
port 80. However, if I don’t specify source or destination, I get both ends of the con‐
versation. When a message goes out with port 80 as its destination, when the receiv‐
ing system replies, the port numbers get swapped. Port 80 on the response becomes
the source port. If I were to capture only src port 80, I wouldn’t get any of the mes‐
sages in the other direction. This may be exactly what you are looking for, of course,
but it’s something to keep in mind. You may find that you need to indicate a range of
ports to be grabbed. You could use the port-range primitive to capture a range of
ports, like 80–88, for example.
The language used for BPF provides a lot of capability. If you need really complex fil‐
ters, you can certainly look up the syntax for BPF and examples that may provide you
something specific that you are looking for. What I have often found is that specifying
the port is valuable. Also, I often know the host I want to capture traffic from. In that
case, I would use
host 192.168.86.35
to grab only traffic with that IP address. Again, I
have not specified either source or destination for the address. I could by specifying
src host or dst host. If I don’t indicate, I get both directions of the conversation.
