Capture inbound packets only
For example, with tcpdump, on some platforms something like tcpdump -i eth0 -Q in will capture inbound traffic on eth0. Is there something similar for tshark
1 Answer
- Sort by
oldest newest most voted
0
How about this:
tshark -i 1 -f "ether dst 00:11:22:33:44:55"
-i specifies the interface. You might want to change the number to something that matches your needs. Use tshark -D to list all interfaces
Comments
unless you want multicast and broadcast traffic too...
I played with something similar. The thing with this is that there are inbound packets that have destination mac other than the mac of the interface.
Or use the 'any' pseudo interface in case of Linux, in combination with the BPF filter inbound (or ether[10] != 4 on older versions)
This means 'Linux cooked' header / packet type is not 'Sent by us', thus incoming unicast/broadcast/multicast traffic.
tshark -w file.pcapng -i any inbound
Or similarly not ether src <my-mac>
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
What operating system?
On linux (YMMV), you could use
inboundoroutboundas a capture filter:pcap-filter.7 man page
Open issue to implement in
npcapon Windows:248: Support pcap_setdirection() for filtering packets by direction (sent or received)
Note that the "filtering" in "Support pcap_setdirection() for filtering packets by direction (sent or received)" is not filtering with a capture filter expression, it's filtering in a program that explicitly calls
pcap_setdirection(), which tcpdump does (that's how-Qis implemented), but Wireshark does not.inbound"compiles" on Ubuntu with Wireshark 3.5.0rc0. Is that a bug?No. As @Chuckc said, "On linux (YMMV), you could use
inboundoroutboundas a capture filter:"