How can I use complex filters by protocol in tcpdump?

Maf

1/22/23, 8:02 PM

I can filter by lots of protocols in wireshark and tshark, like this:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP> and isakmp)'

How can I add the protocol filter in a tcpdump command like this?

sudo tcpdump -i any -nn host <My_IP>

104

0 + 0

wireshark

packet-analyzer

tcpdump

Score:1

Ubuntu

Grave_Rose

1/23/23, 8:29 PM

You would use filters on the end. These are called Berklee Packet Filters or BPFs for short. In your example, you could do it this way:

tcpdump -nn -vvv -e -s 0 -X -c 100 -i eth0 host 1.2.3.4 and \(proto 17 and port 500\)

This would capture traffic to or from 1.2.3.4 with Layer-3 protocol 17 (UDP) and Layer-4 port 500. You can also use friendly names if they are present in /etc/protocols and /etc/services like this:

host 1.2.3.4 and \(proto udp and port isakmp\)

There are quite a lot more BPFs you can use to limit things like protocol versions to only capture IPv6 (ip6) or capture traffic that has the SYN flag set in a TCP packet (tcp[tcpflags] == tcp-syn).

If you need a live tool, I've created https://tcpdump101.com which will let you build your tcpdump syntax and BPF so you can just copy and paste it. Hopefully it will help you out.

0 + 0

Maf

1/23/23, 8:58 PM

Why is the protocol name being treated has port?

Grave_Rose

1/24/23, 12:20 AM

It's not. The way it works is that protocols run on Layer-3 (see: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) and ports run on Layer-4 (see: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml). Layer-3 protocol 17 (IP/17) is UDP. Layer-4 port 500 (UDP/500) is "isakmp".

Score:0

Ubuntu

Maf

1/23/23, 10:03 AM

I could create my own filter after some workarounds:

whileIFS= read -r line; do if [[ $line =~ 'isakmp' ]]; then echo $line; fi; done < <(sudo tcpdump -i any -nn host <My_IP>)

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I use complex filters by protocol in tcpdump?

TH: ฉันจะใช้ตัวกรองที่ซับซ้อนตามโปรโตคอลใน tcpdump ได้อย่างไร

RO: Cum pot folosi filtre complexe după protocol în tcpdump?

RU: Как я могу использовать сложные фильтры по протоколам в tcpdump?

VI: Làm cách nào tôi có thể sử dụng các bộ lọc phức tạp theo giao thức trong tcpdump?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.