First time here? Check out the FAQ!

Ask Your Question
0

Capture inbound packets only
 
  
 
  
 
 
 
 
 
 
    
        
        asked Jan 2 '3  
 
 leonardus gravatar image  
 
 
 
 
 
For example, with tcpdump, on some platforms something like tcpdump -i eth0 -Q in will capture inbound traffic on eth0. Is there something similar for tshark
 
Preview: (hide)
 
 
 
 
          
 
Comments
What operating system?

On linux (YMMV), you could use inbound or outbound as a capture filter:
pcap-filter.7 man page


Open issue to implement in npcap on Windows:
248: Support pcap_setdirection() for filtering packets by direction (sent or received)
Chuckc gravatar imageChuckc (
    
        Jan 2 '3
    )
Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls pcap_setdirection(), which tcpdump does (that's how -Q is implemented), but Wireshark does not.
Guy Harris gravatar imageGuy Harris (
    
        Jan 3 '3
    )
inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?
(000) ldh      [-4092]
(001) jeq      #0x4             jt 2    jf 3
(002) ret      #0
(003) ret      #262144

Chuckc gravatar imageChuckc (
    
        Jan 3 '3
    )
inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?
No.  As @Chuckc said, "On linux (YMMV), you could use inbound or outbound as a capture filter:"
Guy Harris gravatar imageGuy Harris (
    
        Jan 3 '3
    )
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jan 2 '3  
 
 Eddi gravatar image  
 
 
 
 
 
How about this:
 
tshark -i 1 -f "ether dst 00:11:22:33:44:55"
 
-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
unless you want multicast and broadcast traffic too...
Jaap gravatar imageJaap (
    
        Jan 2 '3
    )
I played with something similar. The thing with this is that there are inbound packets that have destination mac other than the mac of the interface.
leonardus gravatar imageleonardus (
    
        Jan 2 '3
    )
Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound (or ether[10] != 4 on older versions) 

This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.
tshark -w file.pcapng -i any inbound
Or similarly not ether src <my-mac>
André gravatar imageAndré (
    
        Jan 2 '3
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Jan 2 '3  
 
 
        Seen: 1,557 times 
 

        Last updated: Jan 02 '23 
 
 
 
Related questions
 
 
 Deduplication in tshark -T ek [closed] 
 
 filtering out protocol, sequence number, and ack  using tshark 
 
 Using tshark filters to extract only interesting traffic from 12GB trace 
 
 Any way to use cmd tshark for a gns3 wire? 
 
 authority RRs tshark 
 
 can I install only tshark? 
 
 How do I change the interface on Tshark? 
 
 Tshark TCP stream assembly 
 
 Tshark output file problem, saving to csv or txt 
 
 How to convert Pcapng file to pcap file by Tshark