Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to filter tcpdump output based on packet length

Tags:

People also ask

How do I filter tcpdump by protocol?

To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.

What is length in tcpdump?

By default most newer implementations of tcpdump will capture 65535 bytes, however in some situations you may not want to capture the default packet length.

How do I run tcpdump at a specific time?

Use: -w myfile-%Y-%m-%d_%H. %M. %S . With -w myfile , tcpdump will keep overwriting the same file after specified number of seconds.


I have been trying to filter tcpdump output based on packets lengths. But I had no luck.

This is the simple output for a command;

tcpdump -n -i eth0 dst port 443 -A

17:03:30.866890 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [S], seq 2685064927, win 14600, options [mss 1460,sackOK,TS val 7028787 ecr 0,nop,wscale 4], length 0 E..<..@.@.......>K.<.0... ........9............ .k@3........   17:03:30.867658 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 2285019097, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 0 E..4..@.@.......>K.<.0... ...2............. .k@3:..U   17:03:30.867928 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 0:171, ack 1, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 171 E.....@[email protected]....>K.<.0... ...2............. .k@3:..U...........Opw2.....l..".T.7.q.]h..8W..%.....H... .......9.8.......5...   .....E.D.3.2...........A...../......... ...1.........alice.sni.velox.ch. .................#..   17:03:30.869712 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 0 E..4..@.@.......>K.<.0... ...2.....6....... .k@4:..W   17:03:30.870724 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 171:178, ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 7 E..;..@.@.......>K.<.0... ...2.....6....... .k@4:..W......0 

I want to see packages only if they have more then 100bytes length. for this case, only the 3rd packet.

options [nop,nop,TS val 7028787 ecr 974439509], length 171

I have looked at man pages for tcpdump, but couldn't find any useful parameter. there is an expression 'greater length' mentioned here; http://www.ethereal.com/docs/man-pages/tcpdump.8.html but i couldn't use that expression too.

$ tcpdump -n -i eth0 dst port 443 -A -x greater 100 tcpdump: syntax error 

Thank's for any help.