TCPDUMP

The TCPDUMP filter is similar to the tcpdump utility provided by the operating system.

Filter pattern

The limit for TCPDUMP filter is 4096 characters. Make sure that your filter pattern does not exceed that number of characters.

To filter a capture, use:

packet_count [destination] [filter_expression] [interfaces] max_file_size

where:

packet_count

The maximum packet count to save. Specifying 0 as packet count causes packets to be saved (sent to specified address) until a stop is requested using tcpdump stop, or until the maximum file size is reached.

destination

A string giving the absolute path to the destination file or colon-separated IP address and port number, where the dump data is to be sent over UDP.

filter_expression

Optional filtering expression enclosed in double quotes. See standard tcpdump man page for help on filter expressions.

Note that due to a tcpdump known issue with expression syntax, you need to construct your logical expressions so that the logical order of arguments does not affect packet saving.

interfaces

Optional list of interfaces to be supplied after the filtering expression. The list must be enclosed in double quotes (for example, eth0 eth1).

max_file_size

Optional maximum output file size, to be specified after the list of interfaces. The value should be specified in bytes.

For example:

host 10.10.10.10

host 10.10.10.10 and port 80

host 10.10.10.10 or host 20.20.20.20

(host 10.10.10.10 or host 20.20.20.20) and port 80

host 10.10.10.10 and host 20.20.20.20

host 10.10.10.10 and host 20.20.20.20 and port 80

For more information on TCDUMP filtering, visit www.tcpdump.org

The filters displayed on the Capture packets screen (part of Smart Packet Capture) are generated automatically. To change them, use the tcpdump expression syntax.

Error messages

The following error messages indicate a syntax error in your filter. For syntax help, see BPF Syntax below.

Unknown error
Usually indicates a syntax error that does fit any of the above descriptions.

Filter is too complex for Endace
On the EndaceProbe, a TCP filter can have no more than 50 logical ANDs or ORs. Typical solution: edit the filter expression to include no more than 50 logical ANDs and ORs.

Filter is too complex for NAM Probe
On the NAM Probe, a TCP filter can have no more than 5 logical ANDs or ORs. Typical solution: edit the filter expression to include no more than 5 logical ANDs and ORs.

There is no filter with specified ID
Usually indicates an issue on the NAM Probe or NAM Server.

Syntax error in filter expression or expression rejects all packets

Error occurred during capture file opening
Usually indicates an issue with the NAM Probe.

Internal server error
Usually indicates an issue with the NAM Probe.

Value cannot be empty
You must provide a valid filter expression.

Unknown error occurred
Usually indicates a NAM Probe error others than those described above.

BPF syntax

The filter syntax is standard BPF format as specified in libpcap and used in packet analyzers such as Wireshark and tcpdump. Use the examples below to help you get started, but see the BPF documentation for a complete description of the available commands and syntax.

host

Match only packets coming from or going to host hostnameA :

 host hostnameA

src

Match only packets coming from (src=source) host hostnameA :

 src host hostnameA

dst

Match only packets going to (dst=destination) host hostnameB :

 dst host hostnameB

and

Match only packets that match both of the previous two filters: coming from host hostnameA and going to host hostnameB :

 src host hostnameA and dst host hostnameB

not

Match only packets that do not match both of the previous two filters: not coming from host hostnameA and going to host hostnameB :

 not (src host hostnameA and dst host hostnameB)

or

Match only packets coming from host hostnameA or coming from host hostnameB :

 src host hostnameA or src host hostnameB

parentheses

Use parentheses to force (or clarify) the order in which the filter compiler resolves your filter expressions.

 ((host hostA) or (host hostB)) and (not (host hostC) and not (host hostD))

tcp-ack

Match only ACK packets:

 (tcp[tcpflags] & tcp-ack) != 0

Match only non -ACK packets:

 (tcp[tcpflags] & tcp-ack) = 0

broadcast and multicast

Match only broadcast/multicast packets (dependent on the subnet mask, which here is 255.255.252.0):

 ip[18] <= 3

packet length

Match only IP packets with length greater than or equal to 606 bytes:

 ip[2:2] >= 606

portrange

Match only outgoing TCP packets coming from <hostname> on any port with a port number in the 2000 to 3000 range.

 src host <hostname> and portrange 2000-3000 and tcp