tcpdump filter expressions

tcpdump host barney

Will capture and display traffic sent from or delivered to the system called barney. This command examines both the source and destination address fields of the IP header.

tcpdump host not barney

Will capture and display traffic from all hosts on the network, except the system called barney.

tcpdump arp

Will capture and display all Address Resolution Protocol (ARP) packets. This includes both requests and replies

tcpdump host durer and tcp

Will capture and display all Transmission Control Protocol (TCP) packets from/tothe host durer

tcpdump host vectra and port 23

Will capture and display all packets using port 23 from or to host vectra. Thisamounts to inspecting all telnet packets going between this system and others on the network. Recall that port 23 is the port number conventionally used by telnet

tcpdump ether multicast

Will capture and display multicast packets. See next command for alternative

tcpdump 'ip[16]>=224'

Will capture and display all packets that use the multicast address. This command compares the seventeenth byte (which is the first octet of the destination address) of the IP packet to the value 224. This is the prefix for the standard multicast address of 224.0.0.1 which means all hosts within the default multicast group

tcpdump 'ip[2:2]>512'

Will capture and display all IP packets that are larger than 512 bytes. The sequence ip[2:2] identifies the third and fouth bytes of the IP header (i.e.,  the length-of-packet field) and compares this value of 512. The 2: indicates the offset within the IP packet ("skip first 2 bytes" or "third byte") while the remaining 2 is the number of bytes referred to.