Capture inbound packets only
For example, with tcpdump
, on some platforms something like tcpdump -i eth0 -Q in
will capture inbound traffic on eth0
. Is there something similar for tshark
For example, with tcpdump
, on some platforms something like tcpdump -i eth0 -Q in
will capture inbound traffic on eth0
. Is there something similar for tshark
How about this:
tshark -i 1 -f "ether dst 00:11:22:33:44:55"
-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces
Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound
(or ether[10] != 4
on older versions)
This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.
tshark -w file.pcapng -i any inbound
Or similarly not ether src <my-mac>
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2023-01-02 01:34:50 +0000
Seen: 1,498 times
Last updated: Jan 02 '23
Deduplication in tshark -T ek [closed]
filtering out protocol, sequence number, and ack using tshark
Using tshark filters to extract only interesting traffic from 12GB trace
Any way to use cmd tshark for a gns3 wire?
How do I change the interface on Tshark?
What operating system?
On linux (YMMV), you could use
inbound
oroutbound
as a capture filter:pcap-filter.7 man page
Open issue to implement in
npcap
on Windows:248: Support pcap_setdirection() for filtering packets by direction (sent or received)
Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls
pcap_setdirection()
, which tcpdump does (that's how-Q
is implemented), but Wireshark does not.inbound
"compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?No. As @Chuckc said, "On linux (YMMV), you could use
inbound
oroutbound
as a capture filter:"