tcpdump filters

Useful flags:

From the manual;

-l: line-readable output. Also usefull when redirecting tcpdump to grep e.t.c, reading data while capturing it.
-e: Print link layer, layer 2 MAC address
-n: Do not name look up.It can be -nn, -nnn for disabling ip, port and Mac lookup.
-t: Don’t print timestamp, print human-readable output.
-tt: Print timestamp
-ttt: Print the delta between current an previous line
-ttttt: Print the delta between current an first line
-vvv: Extreme verbose. It can be v, vv and vvv depending on the required detail level.
--immediate-mode:Capture in "immediate mode". In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a ``savefile'' if the packets are being printed to a terminal rather than to a file or pipe.
-A: Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. For example; tcpdump -nn -A -s1500 -l | grep "User-Agent:"

– Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option. – Filter TCP flags: You can filter by pointing the byte number of field according to the its position in the header. Like tcp[13]=8 (both SYN and ACK bits). Some well known fields are predefined for TCP. (more details in the manual)

Filter Description
tcp[tcpflags] == tcp-rst Just connection resets
tcp[tcpflags] == tcp-syn Just SYNS
tcp[tcpflags] == tcp-ack Just acknowledgements
tcp[tcpflags] == tcp-fin Just Fin

Example: tcpdump “host 10.222.2.201 and not (port 22 or port 80) and tcp[tcpflags] == tcp-rst”

  • Filter ARP:

You need to define which field to would like to filter and its value.

For request and reply filter, you must use option field which are number 6-7 in arp header.

request filter: You may chouse field 6 and 7 with offset value, but simply field 7 will be enough for filtering value which is 1 for request and 2 for reply.

example: tcpdump -i eth0 -e arp and ‘arp[7]=1’ -n

reply filter:

example: tcpdump -i eth0 -e arp and ‘arp[7]=2’ -n

filter for sender ip:

example: (10.11.12.13)

 tcpdump -i eth0 -e ‘arp[14]=10 and arp[15]=11 and arp[16]=12 and arp[17]=13‘ -nnn -vvvv

filter for target ip:

example: (10.11.12.13)

tcpdump -i eth0 -e ‘arp[24]=10 and arp[25]=11 and arp[26]=12 and arp[27]=13‘ -nnn -vvvv

  • Filter ICMP:

sudo tcpdump -i ens3 -l icmp[icmptype] == icmp-echo

Good examples:

https://hackertarget.com/tcpdump-examples/