PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:tcpdump:tcpdump

tcpdump

BPF(Berkeley Packet Filter) Syntax

man 7 pcap-filter

Filter Expression

Essential Filtering

  • Exclude LOOP protocol
not ether proto 9000
  • Exclude CDP, LOOP, 0x6002(DEC DNA Remote Console) protocol
not (arp or ether[20:2] == 0x2000 or ether proto (loopback or 0x6002))
  • Exclude CDP, LOOP, 0x6002(DEC DNA Remote Console), OSPF protocol
not (arp or ether[20:2] == 0x2000 or ether proto (loopback or 0x6002) or ip proto ospf)
  • NOT TESTED LLDP!! Exclude CDP, LOOP, 0x6002(DEC DNA Remote Console), LLDP(0x88cc), OSPF protocol
not (arp or ether[20:2] == 0x2000 or ether proto (loopback or 0x6002 or 0x88cc) or ip proto ospf)
  • Exclude ARP, CDP, LOOP, 0x6002(DEC DNA Remote Console), OSPF protocol, DHCP, ICMPv6 ND(Neighbor Discovery)
not (arp or ether[20:2] == 0x2000 or ether proto (loopback or 0x6002) or ip proto ospf or udp port (67 or 68) or (icmp6 and (ip6[40] == 133 or ip6[40] == 134 or ip6[40] == 135 or ip6[40] == 136)))
  • NOT TESTED LLDP!! Exclude ARP, CDP, LOOP, 0x6002(DEC DNA Remote Console), LLDP(0x88cc), OSPF protocol, DHCP
not (arp or ether[20:2] == 0x2000 or ether proto (loopback or 0x6002 or 0x88cc) or ip proto ospf or udp port (67 or 68) or (icmp6 and (ip6[40] == 133 or ip6[40] == 134 or ip6[40] == 135 or ip6[40] == 136)))
  • NOT TESTED LLDP!! Exclude CDP, LOOP, 0x6002(DEC DNA Remote Console), LLDP(0x88cc), OSPF, DHCP, STP, ICMPv6 protocol
not (ether[20:2] == 0x2000 or ether proto (loopback or 0x6002 or 0x88cc) or ip proto ospf or udp port (67 or 68) or stp or icmp6)
  • NOT WORK DTP AND NOT TESTED LLDP!! Exclude CDP, LOOP, 0x6002(DEC DNA Remote Console), LLDP(0x88cc), OSPF, DHCP, DTP(0x2004), STP, ICMPv6 protocol
not (ether[20:2] == 0x2000 or ether proto (loopback or 0x6002 or 0x88cc) or ip proto ospf or udp port (67 or 68) or ether[20:2] == 0x2004 or stp or icmp6)
  • Exclude DTP(0x2004 Dynamic Trunking Protocol)
not ether[20:2] == 0x2004

Filter Expression Applicable Software

tcpdump

see above.

Wireshark

aka “Capture Filter”.

CML2

Used following “BPF” field.

tech/network/tcpdump/tcpdump.txt · Last modified: 2021/11/14 10:00 by wnoguchi