Ask Your Question
0

Why doesn't tcpdump's filter take effect?

asked 2020-05-12 07:03:28 +0000

nanxiao gravatar image

Hi Community,

Greetings from me!

My tcpdump version is:

$ tcpdump --version
tcpdump version tcpdump version 4.9.3 -- Apple version 90.100.1
libpcap version 1.9.1
LibreSSL 2.8.3

I tried to use tcpdump to filter some packets:

$ tcpdump -nr tests/traces/gtp/gtp-tcp-no-data-rst-after-fin.anon.pcap port 2152
reading from file tests/traces/gtp/gtp-tcp-no-data-rst-after-fin.anon.pcap, link-type EN10MB (Ethernet)
$

Nothing is found, but actually there are packets whose port is 2152:

$ tcpdump -nr tests/traces/gtp/gtp-tcp-no-data-rst-after-fin.anon.pcap
reading from file tests/traces/gtp/gtp-tcp-no-data-rst-after-fin.anon.pcap, link-type EN10MB (Ethernet)
15:57:40.095481 IP 10.0.0.1.2123 > 10.0.0.3.2123: UDP, length 186
15:57:40.288664 IP 10.0.0.3.2123 > 10.0.0.1.2123: UDP, length 130
16:00:07.540641 IP 10.0.0.2.2152 > 10.0.0.4.2152: UDP, length 72
16:00:08.041768 IP 10.0.0.2.2152 > 10.0.0.4.2152: UDP, length 72
......

Did I miss something? Thanks very much in advance!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-05-12 12:20:36 +0000

Jim Young gravatar image

Adding the -e option to the tcpdump command to display link level headers may reveal the presence of 'ethertype 802.1Q (0x8100)' or some other additional headers. If there are additional headers then you will need to modify your pcap_filter expression.

For example if there are 802.1Q headers then modify the pcap_filter from 'port 2152' to 'vlan and port 2152'.

If the capture includes both packets with and without 802.1Q headers a more complex pcap_filter might be needed such as 'port 2152 or vlan and port 2152'.

Review the pcap_filter(7) man page for more details on how the vlan|mpls|pppoes|geneve keywords changes the decoding offsets for the remainder of expression.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-05-12 07:03:28 +0000

Seen: 359 times

Last updated: May 12 '20

Related questions

Step by step SSL decrypt with wireshark

Unable to write to standard output: The pipe is being closed.

Ignored Unknown Record

Can't see encrypted application data in SSL session

How to use rawshark to analyse a pcap file which is generated by tcpdump?

Link layer header type for serial/UART communication

TCP Retransmission requests from IPTV Server and TCP Dup Ack Requests from Client

802.11n capture with PPI encapsulation containing HTTP data - help

sshdump does not connect and provides no error

How to capture traffic of the device (router) I am connected with