To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.
By default most newer implementations of tcpdump will capture 65535 bytes, however in some situations you may not want to capture the default packet length.
Use: -w myfile-%Y-%m-%d_%H. %M. %S . With -w myfile , tcpdump will keep overwriting the same file after specified number of seconds.
I have been trying to filter tcpdump output based on packets lengths. But I had no luck.
This is the simple output for a command;
tcpdump -n -i eth0 dst port 443 -A
17:03:30.866890 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [S], seq 2685064927, win 14600, options [mss 1460,sackOK,TS val 7028787 ecr 0,nop,wscale 4], length 0 E..<..@.@.......>K.<.0... ........9............ .k@3........ 17:03:30.867658 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 2285019097, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 0 E..4..@.@.......>K.<.0... ...2............. .k@3:..U 17:03:30.867928 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 0:171, ack 1, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 171 E.....@[email protected]....>K.<.0... ...2............. .k@3:..U...........Opw2.....l..".T.7.q.]h..8W..%.....H... .......9.8.......5... .....E.D.3.2...........A...../......... ...1.........alice.sni.velox.ch. .................#.. 17:03:30.869712 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 0 E..4..@.@.......>K.<.0... ...2.....6....... .k@4:..W 17:03:30.870724 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 171:178, ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 7 E..;..@.@.......>K.<.0... ...2.....6....... .k@4:..W......0
I want to see packages only if they have more then 100bytes length. for this case, only the 3rd packet.
options [nop,nop,TS val 7028787 ecr 974439509], length 171
I have looked at man pages for tcpdump, but couldn't find any useful parameter. there is an expression 'greater length' mentioned here; http://www.ethereal.com/docs/man-pages/tcpdump.8.html but i couldn't use that expression too.
$ tcpdump -n -i eth0 dst port 443 -A -x greater 100 tcpdump: syntax error
Thank's for any help.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With