Can tcpdump be instructed not to report packets to a specific source?

Posted on

Problem :

I would like to monitor packets using TCPdump. Sadly, I must do this remotely – in this case, I’m using a remote desktop from VNC, but at best I can do it over SSH.

What I mean by “at best” is: I am seeing a huge number of packets that are directed at my own machine. I’m trying to monitor the server, not my local machine, so I’d really rather ignore any packets going to my own machine.

Is there any way to make tcpdump report everything EXCEPT packets going to a certain I.P?

My hacky solution is: sleep 5;tcpdump [options] and kill the VNC connection while I’m waiting.

Solution :

Yes, you can add a filter in your tcpdump options. Assuming your IP is, this would look like:

tcpdump -f "not host" ...other options...

You can do it by means of the following command:

  tcpdump -i eth0 ! host Your.own.Ip.Address. 

However, this is a slight overkill: you may occasionally be interested in packets addressed to your machine, but not to those pertaining to the communication itself. You can use

  tcpdump -i eth0 ! port 22

(if you are connected via ssh) which will eliminate all packets going to/from the remote machine on port 22; this will however also drop all ssh packets to/from the remote machine from/to other machines.

If you want to be really complete, excluding only traffic between your local and remote machines via ssh, you have to issue:

  tcpdump -i etho ! '((host remote.machine.ip.address and port 22) and local.machine.ip.address)'

Remember the apices, they are important.

Leave a Reply

Your email address will not be published. Required fields are marked *