2

I can filter by lots of protocols in wireshark and tshark, like this:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP> and isakmp)'

How can I add the protocol filter in a tcpdump command like this?

sudo tcpdump -i any -nn host <My_IP>

Maf
  • 135
  • 1
  • 9

2 Answers2

1

You would use filters on the end. These are called Berklee Packet Filters or BPFs for short. In your example, you could do it this way:

tcpdump -nn -vvv -e -s 0 -X -c 100 -i eth0 host 1.2.3.4 and \(proto 17 and port 500\)

This would capture traffic to or from 1.2.3.4 with Layer-3 protocol 17 (UDP) and Layer-4 port 500. You can also use friendly names if they are present in /etc/protocols and /etc/services like this:

host 1.2.3.4 and \(proto udp and port isakmp\)

There are quite a lot more BPFs you can use to limit things like protocol versions to only capture IPv6 (ip6) or capture traffic that has the SYN flag set in a TCP packet (tcp[tcpflags] == tcp-syn).

If you need a live tool, I've created https://tcpdump101.com which will let you build your tcpdump syntax and BPF so you can just copy and paste it. Hopefully it will help you out.

Grave_Rose
  • 26
  • 2
  • Why is the protocol name being treated has port? – Maf Sep 23 '21 at 20:58
  • It's not. The way it works is that protocols run on Layer-3 (see: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) and ports run on Layer-4 (see: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml). Layer-3 protocol 17 (IP/17) is UDP. Layer-4 port 500 (UDP/500) is "isakmp". – Grave_Rose Sep 24 '21 at 00:20
0

I could create my own filter after some workarounds:

whileIFS= read -r line; do if [[ $line =~ 'isakmp' ]]; then echo $line; fi; done < <(sudo tcpdump -i any -nn host <My_IP>)
Maf
  • 135
  • 1
  • 9