Packet Capture, part 2 - Page 8

In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.

 By O'Reilly Press
Page 8 of 10   |  Back to Page 1
Print Article Protocol and port filtering.

It is possible to restrict capture to specific protocols such as IP, Appletalk, or TCP. You can also restrict capture to services built on top of these protocols, such as DNS or RIP. This type of capture can be done in three ways -- by using a few specific keywords known by tcpdump, by protocol using the proto keyword, or by service using the port keyword.

Several of these protocol names are recognized by tcpdump and can be identified by keyword. The following command restricts the traffic captured to IP traffic:

bsd1# tcpdump ip

Of course, IP traffic will include TCP traffic, UDP traffic, and so on.

To capture just TCP traffic, you would use:

bsd1# tcpdump tcp

Recognized keywords include ip, igmp, tcp, udp, and icmp.

There are many transport-level services that do not have recognized keywords. In this case, you can use the keywords proto or ip proto followed by either the name of the protocol found in the /etc/protocols file or the corresponding protocol number. For example, either of the following will look for OSPF packets:

bsd1# tcpdump ip proto ospf
bsd1# tcpdump ip proto 89

Of course, the first works only if there is an entry in /etc/protocols for OSPF.

Built-in keywords may cause problems. In these examples, the keyword tcp must either be escaped or the number must be used. For example, the following is fine:

bsd#1 tcpdump ip proto 6 

On the other hand, you can't use tcp with proto.

bsd#1 tcpdump ip proto tcp 

will generate an error.

For higher-level services, services built on top of the underlying protocols, you must use the keyword port. Either of the following will collect DNS traffic:

bsd#1 tcpdump port domain 
bds#1 tcpdump port 53

In the former case, the keyword domain is resolved by looking in /etc/services. When there may be ambiguity between transport-layer protocols, you may further restrict ports to a particular protocol. Consider the command:

bsd#1 tcpdump udp port domain

This will capture DNS name lookups using UDP but not DNS zone transfers using TCP. The two previous commands would capture both.

This article was originally published on Nov 13, 2001
Get the Latest Scoop with Networking Update Newsletter