Wednesday, November 25, 2009

Tcpdump filters

for those that don't know, tcpdump is a commandline packet analyzer (Sniffer) that can perform live packet analysis. With tcpdump you can filter the traffic so not all traffic is parsed or logged. Many programs and sniffers tend to follow tcpdumps filter syntax for its popularity and ease of use. Below or some examples of tcpdump filters taken from "":

Filtering hosts :

- Match any traffic involving as destination or source
# tcpdump -i eth1 host

- As source only
# tcpdump -i eth1 src host

- As destination only
# tcpdump -i eth1 dst host

# tcpdump src net mask
# tcpdump src net

Filtering ports :
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25

# tcpdump -n portrange 22-23

- Source
# tcpdump -i eth1 src port 25

- Destination
# tcpdump -i eth1 dst port 25

Network filtering :

# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering :

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Let's combine expressions :

Negation : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate : || or "or"

- This rule will match any TCP traffic on port 80 (web) with or as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'

Resources/Good reading:

No comments:

Post a Comment