tcpdump syntax for only capturing traffic coming to a specific virtual interface / local IP

Question

CentOS 5.x

I need to collect a packet capture of https requests going to a specific IP address / virtual interface. Is there a specific switch/parameter for tcpdump that will allow that? The other IPs receive a lot of traffic so I'd prefer to not capture data pertaining to them and have to filter them out later... .

score 6 · Accepted Answer · answered Aug 17 '10 at 17:54

6

Try this:

tcpdump -i any dst host your.ip.add.ress and port https

use http instead of https if you want to capture port 80 instead of 443 - or just use the numbers directly if you like. (The http/https names are mapped to the port numbers via lookup in /etc/services)

answered Aug 17 '10 at 17:54

pjz

10,497
1
31
40

+1 for correcting my mistake. – wolfgangsz Aug 17 '10 at 19:30

score 2 · Answer 2 · answered Aug 17 '10 at 15:09

2

tcpdump -n -i <INTERFACE> host <IP>

That should do it. -n will not resolve names.

answered Aug 17 '10 at 15:09

vmfarms

3,077
19
17

score 2 · Answer 3 · answered Aug 17 '10 at 15:10

2

Try this:

tcpdump -i any dst host your.ip.add.ress and port 80

answered Aug 17 '10 at 15:10

wolfgangsz

8,767
3
29
34

wrong port for https – pjz Aug 17 '10 at 17:55

tcpdump syntax for only capturing traffic coming to a specific virtual interface / local IP

3 Answers3