First time here? Check out the FAQ!

Ask Your Question
0

Capture inbound packets only

asked Jan 2 '3

leonardus gravatar image

For example, with tcpdump, on some platforms something like tcpdump -i eth0 -Q in will capture inbound traffic on eth0. Is there something similar for tshark

Preview: (hide)

Comments

What operating system?
On linux (YMMV), you could use inbound or outbound as a capture filter:
pcap-filter.7 man page

Open issue to implement in npcap on Windows:
248: Support pcap_setdirection() for filtering packets by direction (sent or received)

Chuckc gravatar imageChuckc ( Jan 2 '3 )

Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls pcap_setdirection(), which tcpdump does (that's how -Q is implemented), but Wireshark does not.

Guy Harris gravatar imageGuy Harris ( Jan 3 '3 )

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

(000) ldh      [-4092]
(001) jeq      #0x4             jt 2    jf 3
(002) ret      #0
(003) ret      #262144
Chuckc gravatar imageChuckc ( Jan 3 '3 )

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

No. As @Chuckc said, "On linux (YMMV), you could use inbound or outbound as a capture filter:"

Guy Harris gravatar imageGuy Harris ( Jan 3 '3 )

1 Answer

Sort by » oldest newest most voted
0

answered Jan 2 '3

Eddi gravatar image

How about this:

tshark -i 1 -f "ether dst 00:11:22:33:44:55"

-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces

Preview: (hide)
link

Comments

unless you want multicast and broadcast traffic too...

Jaap gravatar imageJaap ( Jan 2 '3 )

I played with something similar. The thing with this is that there are inbound packets that have destination mac other than the mac of the interface.

leonardus gravatar imageleonardus ( Jan 2 '3 )

Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound (or ether[10] != 4 on older versions)
This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.

tshark -w file.pcapng -i any inbound

Or similarly not ether src <my-mac>

André gravatar imageAndré ( Jan 2 '3 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Jan 2 '3

Seen: 1,557 times

Last updated: Jan 02 '23