Capture incoming traffic in tcpdump

capture packet traffic packet-capture tcpdump
80,611

Solution 1

In Bash shell try this:

tcpdump -i eth0 tcp and dst host $MyIpAddress and not src net $MyNetworkAddress/$myNetworkBytes

or this equivalent formulation:

tcpdump -i eth0 ip proto \\tcp and dst host $MyIpAddress and not src net $MyNetworkAddress/$myNetworkBytes

On my system this resolves to something like:

tcpdump -i eth0 tcp and dst host 10.0.0.35 and not src net 10.0.0.0/24

If you want to see all of the traffic to your destination host, not just TCP protocol traffic you could do:

tcpdump -i eth0 dst host $MyIpAddress and not src net $MyNetworkAddress/$myNetworkBytes

Some notes:

  1. I changed $myIpAddress/$myNetworkBytes to $MyNetworkAddress/$myNetworkBytes. This is because the apparent intent of your rule is to exclude traffic from your local network, and the correct way to specify a network address is to specify the network's lowest IP address (which is called the network address) / netmask. If you specify any address other than the lowest address in the range for a network with a netmask of $myNetworkBytes, then you will get the error message:

    tcpdump: non-network bits set in "10.0.0.3/24"

  2. In the first example 'tcp' is a keyword in the libpcap expression language (man pcap-filter) , whereas in the second example, 'tcp' is used as a value of ip proto. In order to indicate that the 'tcp' in the second instance is a value and not another 'tcp' keyword, I need to escape the 'tcp' with a double backslash. It has to be a double backslash so that the Bash interpreter will pass a single backslash on to the libpcap interpreter (Bash eats the first backslash, libpcap gets the second.) To reduce the double escape confusion, it might be good to get into the habit of double quoting the entire expression part of the command:

    tcpdump -i eth0 "ip proto \tcp and dst host $MyIpAddress and not src net $MyNetworkAddress/$myNetworkBytes"

  3. To avoid warnings and surprises, it is better to use the interface specifier -i eth0 or whatever interface you wish. Not all interfaces necessarily have an IP address assigned and without being specific, you might see traffic that you hadn't intended to see. This is especially true on systems that have the network-manager running, which seems to have its own mind about what interfaces to add and when.

Solution 2

None of the above works very well for a box with multiple ips.

This worked very well for me on a DNS server with many ips bound to it:

tcpdump -l -n -i pub dst port 53 and inbound

Might not work on all versions of tcpdump though.

# tcpdump -V
tcpdump version 4.1-PRE-CVS_2012_03_26
libpcap version 1.4.0

Solution 3

-Q direction --direction=direction Choose send/receive direction direction for which packets should be captured. Possible values are in',out' and `inout'. Not available on all platforms.

Share:
80,611
Ricky Robinson
Author by

Ricky Robinson

Updated on February 18, 2020

Comments

  • Ricky Robinson
    Ricky Robinson over 4 years

    In tcpdump, how can I capture all incoming IP traffic destined to my machine? I don't care about my local traffic.

    Should I just say:

    tcpdump ip dst $MyIpAddress and not src net $myIpAddress/$myNetworkBytes

    ... or am I missing something?

  • Ricky Robinson
    Ricky Robinson about 12 years
    Hey, thank you for your answer. I'm also interested in UDP traffic, that's why I didn't put 'tcp' in the filter above. I'm sure it's something trivial, but could you clarify why I need to put my network address instead of my IP address? Shouldn't that have the same effect, once I specify the number of network bytes?
  • Eli Rosencruft
    Eli Rosencruft about 12 years
    Edited answer to address comment
  • Ricky Robinson
    Ricky Robinson over 7 years
    Nice! I didn't know about this option.
  • bbonev
    bbonev almost 7 years
    appreciate the inbound keyword

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how can I dump only outgoing IP packets in tcpdump?
How to capture network packet in Android without using any root permissions
frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes
record contents of packets dropped in iptables
user agent in http or https request
tcpdump syntax for only capturing traffic coming to a specific virtual interface / local IP
WireShark - Capturing Packets on Multiple IP Address (FIlter)
Tcpdump on ec2 not seeing all packets
iptables drop packet by hex string match
Can 3G networks be packet sniffed / analyzed?