How to Filter TCPDUMP for Multiple Specific IP Addresses: A Precise Packet Capture Technique


3 views

When monitoring network traffic for specific servers in a shared subnet, traditional subnet-based filtering (net 192.168.1.0/24) becomes too broad. The requirement is to capture traffic exclusively for three ECommerce servers (192.168.1.2-4) while explicitly excluding adjacent IPs like the PayRoll server (192.168.1.5).

The proper Berkeley Packet Filter (BPF) syntax for this scenario uses parentheses to group conditions:

tcpdump -i eth0 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"

The original attempts contained several syntax errors:

# Wrong: Incorrect parameter order and invalid quotes
tcpdump 0 \"/tmp\" \"host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4\" 100000

# Wrong: Using ip.host (Wireshark syntax) instead of BPF
tcpdump 0 \"/tmp\" \"ip.host==192.168.1.2 or ip.host==192.168.1.3 or ip.host==192.168.1.4\" 100000

For more complex scenarios, combine with port filtering:

# Capture HTTP/HTTPS traffic only
tcpdump -i eth0 "((host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and (port 80 or port 443))"

# Exclude SSH traffic from capture
tcpdump -i eth0 "((host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and not port 22)"

When monitoring high-traffic servers, consider:

# Limit capture size to 100MB
tcpdump -i eth0 -C 100 -W 5 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"

# Use buffer size optimization
tcpdump -i eth0 -B 4096 -w /tmp/capture.pcap "(host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4)"

To confirm your filter works before long captures:

# Test filter with 10 packets
tcpdump -i eth0 -c 10 "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"

# Check for dropped packets
tcpdump -i eth0 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4" -v

When monitoring eCommerce servers (192.168.1.2-4) while excluding adjacent systems like the PayRoll app (192.168.1.5), standard subnet-based filters won't work. Many engineers struggle with the correct BPF syntax for this selective capture scenario.

The proper tcpdump filter uses this structure:


tcpdump -i eth0 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"

Your attempts contained several issues:


# Wrong: Using 0 as interface and incorrect quote placement
tcpdump 0 "/tmp" "host 192.168.1.2 or..."  # Syntax error

# Wrong: Using ip.host instead of host
tcpdump "ip.host==192.168.1.2"  # Invalid BPF filter

For complex environments, consider these variations:


# Capture both directions for listed IPs
tcpdump -i eth0 "(src host 192.168.1.2 or src host 192.168.1.3 or src host 192.168.1.4) or (dst host 192.168.1.2 or dst host 192.168.1.3 or dst host 192.168.1.4)"

# Combine with port filtering
tcpdump -i eth0 "(host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and (port 80 or port 443)"

For high-traffic environments, add these optimizations:


# Limit capture size
tcpdump -i eth0 -C 100 -W 10 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"

# Use buffer size tweaks
tcpdump -i eth0 -B 4096 -w /tmp/capture.pcap "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4"