Forum Discussion

Michael_Newton's avatar
Michael_Newton
Icon for Nimbostratus rankNimbostratus
May 30, 2019

Setting up a tcpdump filter

ALCON need an assist if you can.  I have a customer who want a TCPDUMP using a specific filter.   (ip.src == 192.102.67.73) && (tcp.srcport == 443) && (tcp.flags == 0x018) && (tls.record.content...
BIG-IP
F5 Cloud Services
security
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
May 30, 2019

So what was the question? Or you simply want that translated into a tcpdump filter

 

 

I'd recommend you look at 'man tcpdump' myself. Which would (probably) lead you to 'man pap-filter'. Or google for 'tcpdump filter'. However as a hint

 

&& (Logical And) becomes 'and' (Or you can leave it as && if you really want but replacing and, or with &&, || will require single quotes around the filter).

 

ip.src == 192.102.67.73 becomes 'src 192.102.67.73'

 

tcp.srcport == 443 becomes 'src port 443'

 

tcp.flags = 0x018 becomes 'tcp[13] = 26'

 

The others become a bit more complex... You'd really have to know the offsets into the packet to check them (I don't know them off hand sorry). However this may help

 

http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session

 

There's lots of useful pages available on the internet for tcpdump filters. e.g

 

https://danielmiessler.com/study/tcpdump/