How to filter network traffic in tcpdump

Tcpdump is a powerful command-line tool used to capture and analyze network traffic. When capturing traffic, it's often necessary to filter packets based on specific criteria, such as IP addresses, ports, or protocols. Filtering helps focus on relevant traffic, reducing the amount of data collected and making it easier to analyze. Filters in tcpdump use the Berkeley Packet Filter (BPF) syntax, allowing users to create highly specific rules for what traffic to capture.

By applying filters, you can capture only the traffic of interest, such as packets from a particular IP address, packets related to a specific protocol like HTTP or TCP, or traffic on a particular port. This can significantly reduce the amount of data and focus the capture on the necessary information.

Filtering network traffic in tcpdump is crucial when working in busy environments where large amounts of traffic are flowing. Using the right filters ensures that you capture only the necessary data, making it more efficient for analysis and storage.

1. Open a terminal.
2. Filter traffic by IP address.

   $ sudo tcpdump -i eth0 host 192.168.1.10
   10:15:25.543211 IP 192.168.1.10.12345 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0
   10:15:25.543212 IP 192.168.1.1.80 > 192.168.1.10.12345: Flags [S.], ack 123456790, win 65535, length 0

   This command captures all traffic to and from the host 192.168.1.10.

3. Filter traffic by source IP address.

   $ sudo tcpdump -i eth0 src 192.168.1.10
   10:15:26.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command captures only traffic originating from the source IP 192.168.1.10.

4. Filter traffic by destination IP address.

   $ sudo tcpdump -i eth0 dst 192.168.1.1
   10:15:26.543212 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command captures only traffic destined for 192.168.1.1.

5. Filter traffic by protocol.

   $ sudo tcpdump -i eth0 tcp
   10:15:26.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command captures only TCP traffic on the specified interface.

6. Filter traffic by port number.

   $ sudo tcpdump -i eth0 port 80
   10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command captures all traffic on port 80, commonly used for HTTP traffic.

7. Filter traffic by protocol and port.

   $ sudo tcpdump -i eth0 tcp port 443
   10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.443: Flags [S], seq 123456789, win 65535, length 0

   This command captures only TCP traffic on port 443, typically used for HTTPS connections.

8. Capture traffic between two hosts.

   $ sudo tcpdump -i eth0 src 192.168.1.10 and dst 192.168.1.1
   10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command captures traffic flowing from source 192.168.1.10 to destination 192.168.1.1.

9. Exclude specific traffic from capture.

   $ sudo tcpdump -i eth0 not port 22
   10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

   This command excludes traffic on port 22 (typically SSH traffic) from the capture.

10. Combine filters for more specific traffic.

    $ sudo tcpdump -i eth0 src 192.168.1.10 and tcp and port 443
    10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.443: Flags [S], seq 123456789, win 65535, length 0

    This command captures traffic from source 192.168.1.10 using the TCP protocol on port 443.

11. Filter traffic by network range.

    $ sudo tcpdump -i eth0 net 192.168.1.0/24
    10:15:25.543211 IP 192.168.1.10.49582 > 192.168.1.1.80: Flags [S], seq 123456789, win 65535, length 0

    This command captures traffic on the 192.168.1.0/24 subnet.