How can I dump only outgoing IP packets in tcpdump?

Question

I'm dumping outgoing traffic. I only want TCP and UDP packets destined outside my LAN, nothing else. I just used the following filter with tcpdump:

ip and (tcp or udp) and (not icmp) and src host myIPAddr and not dst net myNet/myNetBits and not ip broadcast

But I captured the following packet:

###[ Ethernet ]###
  dst       = ff:ff:ff:ff:ff:ff
  src       = 00:1e:4a:e0:9e:00
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:1e:4a:e0:9e:00
     psrc      = X.X.X.X
     hwdst     = 00:00:00:00:00:00
     pdst      = Y.Y.Y.Y
###[ Padding ]###
        load      = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

What happened here? I thought I was dumping only IP packets.

score 5 · Answer 1 · answered Mar 04 '18 at 23:10

5

Set filtering on your host as a source:

tcpdump src <YOUR_IP>

answered Mar 04 '18 at 23:10

Antonio Petricca

8,891
5
36
74

This does show outgoing traffic for routed packages. – Mathias Mamsch Nov 10 '21 at 16:45

Bo. · Answer 2 · 2012-06-05T14:13:37.663

1

From looking at your dump you received ARP packet with IP protocol type (i.e. ptype = 0x800). You should filter out also ARP packets and (not arp) and that should cleanup your dump. I think if you look at the tcpdump code you will find the reason why it keeps also these specific ARP packets (but since IP uses these packets for network resolution I guess these ARP packets are considered part of IP by tcpdump).

Kind regards,
Bo

edited Jun 05 '12 at 14:13

answered Jun 05 '12 at 14:06

Bo.

2,547
3
24
36

Thanks for the reply. I just tried to add that condition to my filter and I still get packets like the following: `###[ Ethernet ]### dst = ff:ff:ff:ff:ff:ff src = 00:1e:4a:e0:9e:00 type = 0x806 ###[ ARP ]### hwtype = 0x1 ptype = 0x800 hwlen = 6 plen = 4 op = who-has hwsrc = 00:1e:4a:e0:9e:00 psrc = X.X.X.X hwdst = 00:00:00:00:00:00 pdst = Y.Y.Y.Y ###[ Padding ]### load = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'` – Ricky Robinson Jun 05 '12 at 14:17
I could easily filter out non-IP packets after dumping, but I don't understand why it just won't work with a simple filter like the one above. – Ricky Robinson Jun 05 '12 at 14:18
Well ARP is used by IP as stated in: http://www.ietf.org/rfc/rfc894.txt. You can try also filter `not ether proto arp` to try to remove arp packets (I have not looked at the tcpdump code in long time so I cannot remember the exact filtering approach) – Bo. Jun 05 '12 at 14:23
`not ether proto arp` doesn't work, even though it looks correct to me. Thank you anyway! – Ricky Robinson Jun 05 '12 at 14:35
Try: `not ether proto \arp` . From what I recall older versions of tcpdump did not like *arp* and wanted *\arp* as **arp** is a keyword – Bo. Jun 05 '12 at 14:41

How can I dump only outgoing IP packets in tcpdump?

2 Answers2