tcpdump filter out arp and all stp packets

About

Asked 18/5, 2021 at 17:58 Answered 10/11, 2021 at 18:58

I need to capture on an interface with tcpdump and filter out all arp and stp/rstp packets. I tried this command, which does filter out arp, but I still see rstp packets:

tcpdump -n -i ens224 not arp and not stp

Also tried this, still see rstp packets

tcpdump -n -i ens224 not stp

What am I doing wrong?

I read this post already but its not helpful in the context of tcpdump, looking for specific syntax: how to filter rtsp packets from a pcap file

Cuttie answered 18/5, 2021 at 17:58 Comment(0)

You are not doing wrong. It's about how libpcap and vendors are reading/writing headers. To remove STP 802.1d lines I use this command:

tcpdump -i eth0 not arp and not llc

Best regards

Gauthier answered 18/8, 2021 at 14:22 Comment(0)

You can filter the well known multicast mac address for each protocol. Look at this table:

https://embeddist.wordpress.com/2015/10/07/well-known-ethernet-multicast-address/ and https://en.wikipedia.org/wiki/Multicast_address#Ethernet

And you can something like this:

(RSTP)

tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cd

(CDP)

tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cc

(LLDP)

tcpdump -n -i <interface> ether host 01:80:c2:00:00:0e

Cease answered 10/11, 2021 at 18:58 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags