Filtering TCPDUMP over packet length

tcpdump multicast
10,850

Total Ethernet packet size

According to pcap-filter(7), you can use the following conditions:

  • less length, equivalent to len <= length

  • greater length, equivalent to len >= length

  • Based on the examples, you should also be able to use len == length, but that isn't documented.

Note that this includes the link-layer and network-layer headers (i.e. everything that was captured), so an empty TCP ACK will have an IP "total length" field of 60 but will be seen as 74 bytes total.

See also this StackOverflow thread: https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length

Total IP packet size

According to tcpdump(1), you can access the IPv4 header's "Total Length" field:

  • ip[2:2] > 576
  • ip[2:2] <= 1000
  • and similar.

Total UDP packet or payload size

UDP doesn't have a length field, but its header size is always 8, and you can usually assume that the IPv4 header size will always be 20 (IPv4 options are very rare, although they do get used in IGMP).

So if you're trying to filter for 1316-byte UDP datagrams,

  • IP.TotalLength = IP.Header[20] + UDP.Header[8] + UDP.Payload[1316]

you get the filter ip[2:2] == 1344.

Share:
10,850

Related videos on Youtube

Georgi Stoyanov
Author by

Georgi Stoyanov

Updated on September 18, 2022

Comments

  • Georgi Stoyanov
    Georgi Stoyanov over 1 year

    I am looking to narrow down my tcpdump by packet length. I know I can `| grep but I was wondering if I can pass this particular packet length as an option in 'tcpdump'. I am trying to write a script to show me all present MPEG-TS multicast on the network using the following command: 

    sudo tcpdump -c 1000 -ti <network_interface> multicast | grep 1316 | sort | uniq

    So this command works and gives me exactly the output I want but I was thinking I could simplify it by passing the length in the tcpdump command, something like: 

    sudo tcpdump -c 1000 -ti <network_interface> multicast and length 1316 | sort | uniq
  • Georgi Stoyanov
    Georgi Stoyanov about 5 years
    apparently this option doesn't really work. The output of this command $ sudo tcpdump -c 100 -t multicast and greater 1345 is IP 10.153.243.25.49152 > 225.0.0.0.4000: UDP, length 1316
  • user1686
    user1686 about 5 years
    It works fine. Are you trying to filter by UDP length, IP length, Ethernet length? Are you including the header size or only the payload size? The packet you're showing is approximately 1358 bytes total (Eth[14] + IPv4[20] + UDP[8] + payload[1316]).
  • Georgi Stoyanov
    Georgi Stoyanov about 5 years
    I am trying to limit by UDP payload size.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Dumping multicast UDP stream with socat
Creating multicast join for tcpdump captures
multicast tcpdump and subscriptions
UDP multicast client does not see UDP multicast traffic generated by tcpreplay
How can I use TCPDump on Unix to view messages sent to a specific multicast address?
What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?
How to stream h264 with udp gstreamer
tcpdump error message "That device doesn't support monitor mode"
How to capture packages via both eth0 and lo at the same time?
TCP Server sends [ACK] followed by [PSH,ACK]