Reputation: 22893
How can I dump only outgoing IP packets in tcpdump?
I'm dumping outgoing traffic. I only want TCP and UDP packets destined outside my LAN, nothing else. I just used the following filter with tcpdump:
ip and (tcp or udp) and (not icmp) and src host myIPAddr and not dst net myNet/myNetBits and not ip broadcast
But I captured the following packet:
###[ Ethernet ]###
dst = ff:ff:ff:ff:ff:ff
src = 00:1e:4a:e0:9e:00
type = 0x806
###[ ARP ]###
hwtype = 0x1
ptype = 0x800
hwlen = 6
plen = 4
op = who-has
hwsrc = 00:1e:4a:e0:9e:00
psrc = X.X.X.X
hwdst = 00:00:00:00:00:00
pdst = Y.Y.Y.Y
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
What happened here? I thought I was dumping only IP packets.
Upvotes: 7
Views: 50373
Answers (2)
Reputation: 10996
Set filtering on your host as a source:
tcpdump src <YOUR_IP>
Upvotes: 8
Reputation: 2541
From looking at your dump you received ARP packet with IP protocol type (i.e. ptype = 0x800). You should filter out also ARP packets and (not arp) and that should cleanup your dump. I think if you look at the tcpdump code you will find the reason why it keeps also these specific ARP packets (but since IP uses these packets for network resolution I guess these ARP packets are considered part of IP by tcpdump).
Kind regards,
Bo
Upvotes: 1
Related Questions
- How to display all data using tcpdump?
- tcpdump: How do I suppress packet information?
- tcpdump filter out arp and all stp packets
- tcpdump: How to capture arrival / outgoing interface for a packet?
- How to filter tcpdump result by keeping socket recv() data only?
- TCP dump filter for an ARP H\W address
- Capture incoming traffic in tcpdump
- how to implement tcpdump -i interface arp with libpcap
- tcpdump of udp packets containing data
- tcpdump always filters my packets