Filtering TCPDUMP over packet length
Total Ethernet packet size
According to pcap-filter(7), you can use the following conditions:
less length
, equivalent tolen <= length
greater length
, equivalent tolen >= length
Based on the examples, you should also be able to use
len == length
, but that isn't documented.
Note that this includes the link-layer and network-layer headers (i.e. everything that was captured), so an empty TCP ACK will have an IP "total length" field of 60 but will be seen as 74 bytes total.
See also this StackOverflow thread: https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length
Total IP packet size
According to tcpdump(1), you can access the IPv4 header's "Total Length" field:
ip[2:2] > 576
ip[2:2] <= 1000
- and similar.
Total UDP packet or payload size
UDP doesn't have a length field, but its header size is always 8, and you can usually assume that the IPv4 header size will always be 20 (IPv4 options are very rare, although they do get used in IGMP).
So if you're trying to filter for 1316-byte UDP datagrams,
- IP.TotalLength = IP.Header[20] + UDP.Header[8] + UDP.Payload[1316]
you get the filter ip[2:2] == 1344
.
Related videos on Youtube
Georgi Stoyanov
Updated on September 18, 2022Comments
-
Georgi Stoyanov over 1 year
I am looking to narrow down my
tcpdump
by packet length. I know I can `| grep but I was wondering if I can pass this particular packet length as an option in 'tcpdump'. I am trying to write a script to show me all present MPEG-TS multicast on the network using the following command:sudo tcpdump -c 1000 -ti <network_interface> multicast | grep 1316 | sort | uniq
So this command works and gives me exactly the output I want but I was thinking I could simplify it by passing the length in the
tcpdump
command, something like:sudo tcpdump -c 1000 -ti <network_interface> multicast and length 1316 | sort | uniq
-
Georgi Stoyanov about 5 yearsapparently this option doesn't really work. The output of this command
$ sudo tcpdump -c 100 -t multicast and greater 1345
isIP 10.153.243.25.49152 > 225.0.0.0.4000: UDP, length 1316
-
user1686 about 5 yearsIt works fine. Are you trying to filter by UDP length, IP length, Ethernet length? Are you including the header size or only the payload size? The packet you're showing is approximately 1358 bytes total (Eth[14] + IPv4[20] + UDP[8] + payload[1316]).
-
Georgi Stoyanov about 5 yearsI am trying to limit by UDP payload size.