Packet Capture, part 2 - Page 8
In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.
18.104.22.168.2. Protocol and port filtering.
It is possible to restrict capture to specific protocols such as IP, Appletalk, or TCP. You can also restrict capture to services built on top of these protocols, such as DNS or RIP. This type of capture can be done in three ways -- by using a few specific keywords known by tcpdump, by protocol using the proto keyword, or by service using the port keyword.
Several of these protocol names are recognized by tcpdump and can be identified by keyword. The following command restricts the traffic captured to IP traffic:
bsd1# tcpdump ip
To capture just TCP traffic, you would use:
bsd1# tcpdump tcp
There are many transport-level services that do not have recognized keywords. In this case, you can use the keywords proto or ip proto followed by either the name of the protocol found in the /etc/protocols file or the corresponding protocol number. For example, either of the following will look for OSPF packets:
bsd1# tcpdump ip proto ospf bsd1# tcpdump ip proto 89
Of course, the first works only if there is an entry in /etc/protocols for OSPF.
Built-in keywords may cause problems. In these examples, the keyword tcp must either be escaped or the number must be used. For example, the following is fine:
bsd#1 tcpdump ip proto 6
On the other hand, you can't use tcp with proto.
bsd#1 tcpdump ip proto tcp
will generate an error.
bsd#1 tcpdump port domain bds#1 tcpdump port 53
In the former case, the keyword domain is resolved by looking in /etc/services. When there may be ambiguity between transport-layer protocols, you may further restrict ports to a particular protocol. Consider the command:
bsd#1 tcpdump udp port domain
This will capture DNS name lookups using UDP but not DNS zone transfers using TCP. The two previous commands would capture both.