tcpdump offers powerful advanced filtering options that go beyond simple host, port, and protocol filters. By using complex expressions, you can capture highly specific network traffic based on multiple criteria or conditions. Advanced filtering lets you narrow down captures to only the most relevant packets.

Filtering by Packet Content

You can filter based on the content within packets using tcpdump’s -A or -X output modes combined with string matching.

Example to capture HTTP traffic with specific content:

tcpdump -i eth0 'tcp port 80 and (tcp[20:4] = 0x47455420)' 

This filters for GET HTTP requests (0x47455420 is the hex code for “GET ”).

You can match other patterns in the packet with regular expressions using tcpdump’s -G option for periodic file rotation.

Advanced Filter Examples

Match Traffic Between Two Hosts and Ports

tcpdump 'host 192.168.1.1 and host 192.168.1.2 and port 80'

This captures traffic between 192.168.1.1 and 192.168.1.2 on port 80.

Capture TCP Packets with SYN Flag Set

tcpdump 'tcp[tcpflags] == tcp-syn'

This captures only packets with the SYN flag set (part of TCP handshakes).

Capture Traffic with Specific Length

tcpdump 'len == 128'

Captures packets with exactly 128 bytes of data.

Using Complex Filters with Parentheses

You can combine multiple filters with parentheses for more complex expressions. Example to capture all HTTP and HTTPS traffic, but exclude traffic from 10.0.0.1:

tcpdump '(port 80 or port 443) and not host 10.0.0.1'

Capture Specific Packet Types

Capture only ARP requests:

tcpdump 'arp[21:2] == 0x0001'

This matches ARP request packets (where the last 2 bytes of the ARP packet equals 0x0001).