Reputation: 1211
tcpdump filter out arp and all stp packets
I need to capture on an interface with tcpdump and filter out all arp and stp/rstp packets. I tried this command, which does filter out arp, but I still see rstp packets:
tcpdump -n -i ens224 not arp and not stp
Also tried this, still see rstp packets
tcpdump -n -i ens224 not stp
What am I doing wrong?
I read this post already but its not helpful in the context of tcpdump, looking for specific syntax: how to filter rtsp packets from a pcap file
Upvotes: 10
Views: 43528
Answers (2)
Reputation: 51
You can filter the well known multicast mac address for each protocol. Look at this table:
https://embeddist.wordpress.com/2015/10/07/well-known-ethernet-multicast-address/ and https://en.wikipedia.org/wiki/Multicast_address#Ethernet
And you can something like this:
(RSTP)
tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cd
(CDP)
tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cc
(LLDP)
tcpdump -n -i <interface> ether host 01:80:c2:00:00:0e
Upvotes: 0
Reputation: 788
You are not doing wrong. It's about how libpcap and vendors are reading/writing headers. To remove STP 802.1d lines I use this command:
tcpdump -i eth0 not arp and not llc
Best regards
Upvotes: 13
Related Questions
- How can I dump only outgoing IP packets in tcpdump?
- tcpdump: How do I suppress packet information?
- tcpdump filter src dst port
- How to filter tcpdump result by keeping socket recv() data only?
- TCP dump filter for an ARP H\W address
- how to implement tcpdump -i interface arp with libpcap
- How to filter MAC addresses using tcpdump?
- Filter ACK packets
- How to set libpcap filters to get arp packets
- tcpdump always filters my packets