5

I am looking to narrow down my tcpdump by packet length. I know I can `| grep but I was wondering if I can pass this particular packet length as an option in 'tcpdump'. I am trying to write a script to show me all present MPEG-TS multicast on the network using the following command: 

sudo tcpdump -c 1000 -ti <network_interface> multicast | grep 1316 | sort | uniq

So this command works and gives me exactly the output I want but I was thinking I could simplify it by passing the length in the tcpdump command, something like: 

sudo tcpdump -c 1000 -ti <network_interface> multicast and length 1316 | sort | uniq
Georgi Stoyanov
  • 471

1 Answers1

6

Total Ethernet packet size

According to pcap-filter(7), you can use the following conditions:

  • less length, equivalent to len <= length

  • greater length, equivalent to len >= length

  • Based on the examples, you should also be able to use len == length, but that isn't documented.

Note that this includes the link-layer and network-layer headers (i.e. everything that was captured), so an empty TCP ACK will have an IP "total length" field of 60 but will be seen as 74 bytes total.

See also this StackOverflow thread: https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length

Total IP packet size

According to tcpdump(1), you can access the IPv4 header's "Total Length" field:

  • ip[2:2] > 576
  • ip[2:2] <= 1000
  • and similar.

Total UDP packet or payload size

UDP doesn't have a length field, but its header size is always 8, and you can usually assume that the IPv4 header size will always be 20 (IPv4 options are very rare, although they do get used in IGMP).

So if you're trying to filter for 1316-byte UDP datagrams,

  • IP.TotalLength = IP.Header[20] + UDP.Header[8] + UDP.Payload[1316]

you get the filter ip[2:2] == 1344.

grawity
  • 501,077