How to Filter TCPDump by IP Address and Port: A Practical Guide


1 views

When working with network traffic analysis, tcpdump is an essential tool for capturing and filtering packets. A common requirement is to filter traffic based on specific IP addresses and ports. The basic syntax for this is:

tcpdump -i [interface] 'host [ip] and port [port]'

To specify both source and destination IPs along with a port, you need to use logical operators properly. Here's the correct syntax:

tcpdump -i eth0 'src host 192.168.1.100 and dst host 10.0.0.1 and src port 8080'

Many users make these errors when constructing filters:

  • Missing quotation marks around the filter expression
  • Using commas instead of logical operators (and/or)
  • Incorrect order of filter conditions

For more complex scenarios, you can combine multiple conditions:

# Filter traffic between two specific hosts on specific ports
tcpdump -i any 'host 192.168.1.5 and host 192.168.1.10 and (port 80 or port 443)'

# Capture traffic from a specific subnet to a port range
tcpdump -i eth0 'net 192.168.1.0/24 and dst portrange 8000-9000'

Always test your filters with the -v (verbose) flag first to ensure they're working as expected:

tcpdump -i eth0 -v 'src host 10.0.0.5 and dst port 22'

When filtering on busy networks, consider these optimizations:

  • Use specific interface names instead of 'any'
  • Apply filters as early as possible in the command
  • Limit the number of captured packets with -c count

For better analysis of filtered results, use these flags:

tcpdump -n -tttt -XX -i eth0 'host 192.168.1.1 and port 3306'

Where:

  • -n prevents DNS resolution
  • -tttt shows full timestamps
  • -XX shows hex and ASCII output

When working with network packet analysis, TCPDump offers powerful filtering capabilities. The common mistake beginners make is trying to combine multiple conditions without proper syntax. Let's break down the correct way to filter by both IP addresses and ports.

The proper syntax for combining IP and port filters requires using logical operators and proper grouping. Here's the basic structure:

tcpdump -i eth0 'src host 192.168.1.100 and dst host 10.0.0.1 and src port 8080'

Let's examine several common scenarios with complete command examples:

Basic Source/Destination Filter

tcpdump -i any 'src 192.168.1.5 and dst 10.0.0.8 and port 443'

Filtering Specific Protocol Traffic

tcpdump -nn -i eth0 'tcp and src host 172.16.0.10 and dst port 3306'

Complex Multi-Condition Filter

tcpdump -i enp0s3 '(src net 192.168.0.0/24 and dst port 80) or (src port 53 and dst host 8.8.8.8)'

Many users encounter these specific issues:

  • Missing quotes around complex filters
  • Incorrect operator precedence without parentheses
  • Using 'port' instead of 'src port' or 'dst port' when direction matters

For more complex scenarios, you can combine these filters with other TCPDump capabilities:

tcpdump -i eth0 -s 0 -w output.pcap 'src 10.0.0.5 and (dst port 3389 or dst port 22)'

When filtering on busy networks, these optimizations can help:

  • Use '-c' to limit packet count
  • Apply filters as early as possible
  • Consider BPF filter optimization