{"id":8005,"date":"2021-11-16T22:47:34","date_gmt":"2021-11-16T21:47:34","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=8005"},"modified":"2025-02-27T15:00:34","modified_gmt":"2025-02-27T14:00:34","slug":"tcpdump-some-filter-examples","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/tcpdump-some-filter-examples\/","title":{"rendered":"tcpdump: Some filter examples"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_8005 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_8005')){$('.twoclick_social_bookmarks_post_8005').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"tcpdump%3A%20Some%20filter%20examples\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ahere%20are%20some%20command%20line%20examples%20for%20often%20requested%20packet%20filter%20strings%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/tcpdump-some-filter-examples\\\/\",\"post_id\":8005,\"post_title_referrer_track\":\"tcpdump%3A+Some+filter+examples\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>here are some command line examples for often requested packet filter strings<br \/>\n<!--more--><br \/>\nFilter for a MAC address<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump ether host 12:34:56:78:90:ab\r\n<\/pre>\n<p>Layer 2 broadcasts<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump ether dst ff:ff:ff:ff:ff:ff\r\n<\/pre>\n<p>Filter parts of the MAC address. ether can be used as an array 0 Starting address of destination MAC, 6 is starting address of the source MAC. After &#8220;:&#8221; the length of fields to compare.<br \/>\nThis example filters for source MACs beginning with 24, ie. 24:34:56:78.ee:22<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump ether&#x5B;6:1] &amp; 0xff = 0x24\r\n<\/pre>\n<p>And for a destination MAC starting with 0x24<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump ether&#x5B;0:1] &amp; 0xff = 0x24\r\n<\/pre>\n<p>Filter icmp packets. For example on interface eth0<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump -i eth0 icmp\r\n<\/pre>\n<p>All packets to or from a TCP port<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump -i eth0 port 22\r\n<\/pre>\n<p>All packets to or from an IP Address<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump -i eth0 host 10.10.254.10\r\n<\/pre>\n<p>And combined<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump -i eth0 host 10.10.254.10 and port 22\r\n<\/pre>\n<p>Filter for the TCP Flags SYN <strong>or <\/strong>FIN<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump tcp&#x5B;tcpflags] &amp; (tcp-syn|tcp-fin) != 0\r\n<\/pre>\n<p>Filter for Packets where SYN <strong>and <\/strong>ACK is set<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ntcpdump tcp&#x5B;tcpflags] &amp; tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)\r\n<\/pre>\n<p>CDP\/LLDP Pakets<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nether dst 01:00:0c:cc:cc:cc and (ether&#x5B;24:2] = 0x2000 or ether&#x5B;20:2] = 0x2000)\r\n<\/pre>\n<p>All hosts in a subnet<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nnet 10.10.254.0\/24\r\n<\/pre>\n<p>Michael<\/p>\n<p>Futher details could be found in the <a href=\"http:\/\/www.manpagez.com\/man\/7\/pcap-filter\/\" rel=\"noopener\" target=\"_blank\">pcap<\/a> man page.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, here are some command line examples for often requested packet filter strings<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1675,1286],"tags":[1681,515,1677,1682,1678,549,1680,1679,1676],"class_list":["post-8005","post","type-post","status-publish","format-standard","hentry","category-tcpdump","category-tools","tag-ack","tag-examples","tag-filter","tag-fin","tag-icmp","tag-mac-address","tag-syn","tag-tcp-flags","tag-tcpdump"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8005","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=8005"}],"version-history":[{"count":12,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8005\/revisions"}],"predecessor-version":[{"id":9986,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8005\/revisions\/9986"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=8005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=8005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=8005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}