Ask Your Question
0

Capture inbound packets only

asked 2023-01-02 01:34:50 +0000

leonardus gravatar image

For example, with tcpdump, on some platforms something like tcpdump -i eth0 -Q in will capture inbound traffic on eth0. Is there something similar for tshark

edit retag flag offensive close merge delete

Comments

What operating system?
On linux (YMMV), you could use inbound or outbound as a capture filter:
pcap-filter.7 man page

Open issue to implement in npcap on Windows:
248: Support pcap_setdirection() for filtering packets by direction (sent or received)

Chuckc gravatar imageChuckc ( 2023-01-02 20:55:43 +0000 )edit

Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls pcap_setdirection(), which tcpdump does (that's how -Q is implemented), but Wireshark does not.

Guy Harris gravatar imageGuy Harris ( 2023-01-03 06:44:50 +0000 )edit

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

(000) ldh      [-4092]
(001) jeq      #0x4             jt 2    jf 3
(002) ret      #0
(003) ret      #262144
Chuckc gravatar imageChuckc ( 2023-01-03 15:04:51 +0000 )edit

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

No. As @Chuckc said, "On linux (YMMV), you could use inbound or outbound as a capture filter:"

Guy Harris gravatar imageGuy Harris ( 2023-01-03 17:54:03 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-01-02 16:47:12 +0000

Eddi gravatar image

How about this:

tshark -i 1 -f "ether dst 00:11:22:33:44:55"

-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces

edit flag offensive delete link more

Comments

unless you want multicast and broadcast traffic too...

Jaap gravatar imageJaap ( 2023-01-02 17:35:36 +0000 )edit

I played with something similar. The thing with this is that there are inbound packets that have destination mac other than the mac of the interface.

leonardus gravatar imageleonardus ( 2023-01-02 18:37:56 +0000 )edit

Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound (or ether[10] != 4 on older versions)
This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.

tshark -w file.pcapng -i any inbound

Or similarly not ether src <my-mac>

André gravatar imageAndré ( 2023-01-02 21:23:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-01-02 01:34:50 +0000

Seen: 1,498 times

Last updated: Jan 02 '23