0

I'm trying to write a libpcap (tcpdump, iftop) filter that would match packets having a specific local port.

That is, I'm interested in traffic that either goes out of port 12345 on the local machine or into port 12345 on the local machine.

The simplest filter that gives plausible results is just port 12345. However, I suspect this is incorrect because this would also match e. g. outgoing packets for port 12345 on the remote end (or vice versa), and I don't want that. Similarly, src port 12345 or dst port 12345 is also not what I want.

The simplest filter I could invent that does the job is:

(src host stratofortress and src port 12345) or (dst host stratofortress and dst port 12345)

(where stratofortress is my hostname.) However, this is quite a complex filter for such a simple job, and it hardcodes the local address. What if I had multiple interfaces with multiple addresses?

Is there a simpler way to achieve what I want?

intelfx
  • 134
  • 7

1 Answers1

0

A pcap filter and a pcap file have no information of the setup of the system where the pcap was captured, especially not about the local IP addresses on the system. This means that it cannot derive what "incoming" and "outgoing" means. Instead you have to explicitly include these information into the filter, like you did. There is no simpler filter.

But of course one could make a script which takes a list of local IP addresses (or extracts these from the local system) to generate such a filter instead of adapting the filter manually for each system.

Steffen Ullrich
  • 12,227
  • 24
  • 37