tcpdump lets you combine multiple filters using logical operators. This allows you to create more advanced expressions to capture exactly the traffic you’re interested in. The main operators are and, or, and not.
These operators work like simple math logic — they let you include or exclude traffic based on multiple conditions.
Supported Operators
Here’s how to use the three logical operators:
| Operator | Use Case | Example |
|---|---|---|
and | Match both conditions | tcpdump tcp and port 443 |
or | Match either condition | tcpdump port 80 or port 443 |
not | Exclude matching condition | tcpdump not port 22 |
You can also use parentheses for complex expressions:
tcpdump '(host 10.0.0.1 or host 10.0.0.2) and not port 22'This captures traffic to/from two IPs, but excludes SSH traffic.
Examples
tcpdump tcp and port 80Captures only TCP traffic on port 80.
tcpdump port 53 or port 67Captures traffic on DNS (53) or DHCP (67).
tcpdump not icmpExcludes all ping (ICMP) traffic.