Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

If you need to create an overview of connections and are not interested in the amount of the traffic, then you can iteratively remove traffic from the capture once you've added it to the list of interactions. As there are probably a few top conversations, removing those from the capture process might significantly reduce the capture sizes.

So basically:

  1. Capture traffic for a short while
  2. Analyze the traffic and and the top interactions to your list
  3. Add these interactions to the filter in a not clause
  4. Go back to step one, rinse and repeat :-)

The filter will become something like:

(tcp[13]=18 or proto icmp or proto udp) and not (host and udp port 53) and not (host and tcp port 80) and not ... etc

Some small notes on your capture filter:

  • Both tcpdump and wireshark use the same filtering language (BPF), no need to convert
  • protocol names in a BPF filters are case sensitive, so you need to use "udp" instead of "UDP" and "icmp" instead of "UDP"
  • tcp[13]=18 means: look at offset 13 in the packet and only capture the packet when its value is 18. This means the SYN-bit (2) and the ACK-bit (16) both needs to be set, but all other TCP flags must be unset
  • tcp[0xd]&18 = 2 means: look at offset 0xd (13 in decimal) and then take it's value and then only look at the bits for SYN (2) and ACK (16) by doing a logical AND. If the result is exactly 2, then capture the packet. This means, the SYN-bit (2) needs to be set, the ACK-bit (16) needs to be unset and all other bits in the TCP flags can be set or unset (as they were masked by the AND (&) operator.