When analyzing network traffic with tcpdump, we often need to capture packets from an entire subnet rather than just a single host. The original command:
tcpdump -w net75.out -s 0 host 65.207.95.222
only captures traffic for a specific IP address. We want to modify this to capture all traffic within the 65.192.0.0/10 subnet.
tcpdump supports subnet filtering using net mask notation. For CIDR notation like 65.192.0.0/10, we can use either of these equivalent forms:
tcpdump -w net75.out -s 0 net 65.192.0.0/10
tcpdump -w net75.out -s 0 net 65.192.0.0 mask 255.192.0.0
Let's examine a complete working example with some additional useful options:
tcpdump -i eth0 -w subnet_traffic.pcap -s 0 -n \
net 65.192.0.0/10 and not port 22
This command:
- Captures on interface eth0
- Writes to subnet_traffic.pcap
- Uses full packet capture (-s 0)
- Disables name resolution (-n)
- Filters for our target subnet
- Excludes SSH traffic (port 22)
For more complex scenarios, you can combine subnet filters with other expressions:
# Capture HTTP traffic within subnet
tcpdump -w http_subnet.pcap -s 0 \
'net 65.192.0.0/10 and (tcp port 80 or tcp port 8080)'
# Capture traffic between two specific subnets
tcpdump -w inter_subnet.pcap -s 0 \
'(src net 65.192.0.0/10 and dst net 192.168.1.0/24) or \
(src net 192.168.1.0/24 and dst net 65.192.0.0/10)'
To verify your filter is working as expected, first test with -v (verbose) and -c (count) options:
tcpdump -v -c 10 net 65.192.0.0/10
This will show the first 10 packets matching your filter with detailed output.
When capturing large subnets, consider these optimizations:
# Use BPF filter directly for better performance
tcpdump -i eth0 -w optimized.pcap -s 0 \
'ip[12:4] & 0xc0000000 = 0x40000000'
This BPF filter checks the IP header directly for addresses in the 65.x.x.x range (65 = 0x41, but we mask with /10).
When working with network traffic analysis, we often need to capture packets from an entire subnet rather than just a single host. The original command:
tcpdump -w net75.out -s 0 host 65.207.95.222
only captures traffic for a specific IP address. We want to modify this to capture all traffic within the 65.192.0.0/10 subnet.
TCPDump supports CIDR notation for subnet filtering. The correct syntax uses the net filter with the network address and mask:
tcpdump -w net75.out -s 0 net 65.192.0.0/10
For older versions of TCPDump that might not support CIDR notation directly, you can use the mask syntax:
tcpdump -w net75.out -s 0 net 65.192.0.0 mask 255.192.0.0
To test your filter before writing to a file, use:
tcpdump -n -v net 65.192.0.0/10
The -n prevents DNS resolution, and -v provides more verbose output.
You can combine subnet filters with other conditions. For example, to capture HTTP traffic only:
tcpdump -w net75.out -s 0 net 65.192.0.0/10 and port 80
When capturing large subnets, consider:
- Using
-cto limit packet count - Adding
-Wand-Cfor file rotation - Using BPF filters for complex conditions
Here's a complete command that captures web traffic from the subnet with rotation:
tcpdump -w net75.pcap -s 0 -W 5 -C 100 \
net 65.192.0.0/10 and $port 80 or port 443$