How to Filter TCPDump by Subnet Mask (CIDR Notation) for Network Traffic Analysis


14 views

When analyzing network traffic with tcpdump, we often need to capture packets from an entire subnet rather than just a single host. The original command:

tcpdump -w net75.out -s 0 host 65.207.95.222

only captures traffic for a specific IP address. We want to modify this to capture all traffic within the 65.192.0.0/10 subnet.

tcpdump supports subnet filtering using net mask notation. For CIDR notation like 65.192.0.0/10, we can use either of these equivalent forms:

tcpdump -w net75.out -s 0 net 65.192.0.0/10
tcpdump -w net75.out -s 0 net 65.192.0.0 mask 255.192.0.0

Let's examine a complete working example with some additional useful options:

tcpdump -i eth0 -w subnet_traffic.pcap -s 0 -n \
net 65.192.0.0/10 and not port 22

This command:

  • Captures on interface eth0
  • Writes to subnet_traffic.pcap
  • Uses full packet capture (-s 0)
  • Disables name resolution (-n)
  • Filters for our target subnet
  • Excludes SSH traffic (port 22)

For more complex scenarios, you can combine subnet filters with other expressions:

# Capture HTTP traffic within subnet
tcpdump -w http_subnet.pcap -s 0 \
'net 65.192.0.0/10 and (tcp port 80 or tcp port 8080)'

# Capture traffic between two specific subnets
tcpdump -w inter_subnet.pcap -s 0 \
'(src net 65.192.0.0/10 and dst net 192.168.1.0/24) or \
(src net 192.168.1.0/24 and dst net 65.192.0.0/10)'

To verify your filter is working as expected, first test with -v (verbose) and -c (count) options:

tcpdump -v -c 10 net 65.192.0.0/10

This will show the first 10 packets matching your filter with detailed output.

When capturing large subnets, consider these optimizations:

# Use BPF filter directly for better performance
tcpdump -i eth0 -w optimized.pcap -s 0 \
'ip[12:4] & 0xc0000000 = 0x40000000'

This BPF filter checks the IP header directly for addresses in the 65.x.x.x range (65 = 0x41, but we mask with /10).


When working with network traffic analysis, we often need to capture packets from an entire subnet rather than just a single host. The original command:

tcpdump -w net75.out -s 0 host 65.207.95.222

only captures traffic for a specific IP address. We want to modify this to capture all traffic within the 65.192.0.0/10 subnet.

TCPDump supports CIDR notation for subnet filtering. The correct syntax uses the net filter with the network address and mask:

tcpdump -w net75.out -s 0 net 65.192.0.0/10

For older versions of TCPDump that might not support CIDR notation directly, you can use the mask syntax:

tcpdump -w net75.out -s 0 net 65.192.0.0 mask 255.192.0.0

To test your filter before writing to a file, use:

tcpdump -n -v net 65.192.0.0/10

The -n prevents DNS resolution, and -v provides more verbose output.

You can combine subnet filters with other conditions. For example, to capture HTTP traffic only:

tcpdump -w net75.out -s 0 net 65.192.0.0/10 and port 80

When capturing large subnets, consider:

  • Using -c to limit packet count
  • Adding -W and -C for file rotation
  • Using BPF filters for complex conditions

Here's a complete command that captures web traffic from the subnet with rotation:

tcpdump -w net75.pcap -s 0 -W 5 -C 100 \
net 65.192.0.0/10 and $port 80 or port 443$