Ask Your Question
0

Capture inbound packets only

asked 2023-01-02 01:34:50 +0000

leonardus gravatar image

For example, with tcpdump, on some platforms something like tcpdump -i eth0 -Q in will capture inbound traffic on eth0. Is there something similar for tshark

edit retag flag offensive close merge delete

Comments

What operating system?
On linux (YMMV), you could use inbound or outbound as a capture filter:
pcap-filter.7 man page

Open issue to implement in npcap on Windows:
248: Support pcap_setdirection() for filtering packets by direction (sent or received)

Chuckc gravatar imageChuckc ( 2023-01-02 20:55:43 +0000 )edit

Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls pcap_setdirection(), which tcpdump does (that's how -Q is implemented), but Wireshark does not.

Guy Harris gravatar imageGuy Harris ( 2023-01-03 06:44:50 +0000 )edit

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

(000) ldh      [-4092]
(001) jeq      #0x4             jt 2    jf 3
(002) ret      #0
(003) ret      #262144
Chuckc gravatar imageChuckc ( 2023-01-03 15:04:51 +0000 )edit

inbound "compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?

No. As @Chuckc said, "On linux (YMMV), you could use inbound or outbound as a capture filter:"

Guy Harris gravatar imageGuy Harris ( 2023-01-03 17:54:03 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-01-02 16:47:12 +0000

Eddi gravatar image

How about this:

tshark -i 1 -f "ether dst 00:11:22:33:44:55"

-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces

edit flag offensive delete link more

Comments

unless you want multicast and broadcast traffic too...

Jaap gravatar imageJaap ( 2023-01-02 17:35:36 +0000 )edit

I played with something similar. The thing with this is that there are inbound packets that have destination mac other than the mac of the interface.

leonardus gravatar imageleonardus ( 2023-01-02 18:37:56 +0000 )edit

Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound (or ether[10] != 4 on older versions)
This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.

tshark -w file.pcapng -i any inbound

Or similarly not ether src <my-mac>

André gravatar imageAndré ( 2023-01-02 21:23:49 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-01-02 01:34:50 +0000

Seen: 1,553 times

Last updated: Jan 02 '23

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark