Hi,
here are some command line examples for often requested packet filter strings
Filter for a MAC address
1 | tcpdump ether host 12:34:56:78:90:ab |
Layer 2 broadcasts
1 | tcpdump ether dst ff:ff:ff:ff:ff:ff |
Filter parts of the MAC address. ether can be used as an array 0 Starting address of destination MAC, 6 is starting address of the source MAC. After “:” the length of fields to compare.
This example filters for source MACs beginning with 24, ie. 24:34:56:78.ee:22
1 | tcpdump ether[6:1] & 0xff = 0x24 |
And for a destination MAC starting with 0x24
1 | tcpdump ether[0:1] & 0xff = 0x24 |
Filter icmp packets. For example on interface eth0
1 | tcpdump -i eth0 icmp |
All packets to or from a TCP port
1 | tcpdump -i eth0 port 22 |
All packets to or from an IP Address
1 | tcpdump -i eth0 host 10.10.254.10 |
And combined
1 | tcpdump -i eth0 host 10.10.254.10 and port 22 |
Filter for the TCP Flags SYN or FIN
1 | tcpdump tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 |
Filter for Packets where SYN and ACK is set
1 | tcpdump tcp[tcpflags] & tcp-syn|tcp-ack) == (tcp-syn|tcp-ack) |
CDP/LLDP Pakets
1 | ether dst 01:00:0c:cc:cc:cc and (ether[24:2] = 0x2000 or ether[20:2] = 0x2000) |
All hosts in a subnet
1 | net 10.10.254.0/24 |
Michael
Futher details could be found in the pcap man page.