TCPDUMP - Capturing Packets on Multiple IP Address (FIlter)

What I need to do (via 'tcpdump' through Linux):

• ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several IP addresses/servers.

• There are other applications within this range, e.g. PayRoll App is on 192.168.1.5, and I don't want to see any of this traffic in my capture.

I have a tried:

tcpdump 0 "/tmp" "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4" 100000

and also:

tcpdump 0 "/tmp" "ip.host==192.168.1.2 or ip.host==192.168.1.3 or ip.host==192.168.1.4" 100000

Both return syntax errors.

Any help is much appreciated.


Solution 1:

the basic syntax in your case would be

tcpdump -i <interface to capture on> <filters>

The <filters> would expand to something like

'(host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and (port 80 or port 443)'

if your eCommerce application would use ports 80 and 443 for communications. The single quotes are important, otherwise your shell might see the brackets () which are important for grouping parameters as special characters.

adding -v and -n parameters at the beginning (tcpdump -v -n -i ...)would add verbosity to the output and disable name resolution (speeds up output)

Solution 2:

tcpdump -vvv -enni <interface> host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4 and port XYX -s0 -w /var/tmp/yourfile.pcap

This filter captures port XYX only for 192.168.1.4 and all traffic for other hosts