3

I wish to capture tcpdump traffic on two different ports simultaneouly .

I tried this ..

  $ tcpdump port 21 ; tcpdump port 22

Althoug it worked but problem is first it will wait for traffic on port 21 and when interrupted then it will wait for port 22.

Also another problem is it will not capture the traffic on port 22 untill traffic on port 21 will be captured.

I want an order free solution means in whatever order packet arrives if they are for port 21 or 22 they should be captured .

Please help me on this !!!

EDIT :

Sorry I did not specified it before the actual command I am trying to run is this ..

  $ tcpdump -X -s0 protochain 50

and

  $ tcpdump -X -s0 protochain 51

Now I need to use 50 and 51 both simultaneously ..

Udit Gupta
  • 3,162
  • 11
  • 43
  • 71
  • 1
    Possible duplicate of [Monitoring multiple ports in tcpdump](https://stackoverflow.com/questions/2187932/monitoring-multiple-ports-in-tcpdump) – Vadzim Nov 28 '18 at 20:02

4 Answers4

4

I am no tcpdump expert but found this in the tcpdump manpage:

tcpdump 'gateway snup and (port ftp or ftp-data)'

So try this

tcpdump '(port ftp or ftp-data)'
Daniel Böhmer
  • 14,463
  • 5
  • 36
  • 46
  • @UditGupta: You might want to post your own answer to this question if you needed to adapt the code above. Would help others with the same question. – Daniel Böhmer Nov 30 '11 at 10:23
4

Hi, you just need to compose two ports like this:

tcpdump -n -i $INTERFACE port 21 or port 22

where -n will get numerical address without reverse resolving (faster)
and $INTERFACE is real interface where you sniff trafic

eeerahul
  • 1,629
  • 4
  • 27
  • 38
taho
  • 51
  • 1
0

Like other contributors said, you can use the and logical operator, but be aware than you can also use it in conjunction with other operators. To ensure that tcpdump sees them, and that the operator precedence is the one you want, use brackets, but only within single quotes, like in this example below: sudo tcpdump -i eth0 '(port 465 or port 587)' and src 1.2.3.4, because if you omit the single quotes, your shell may interpret them before tcpdump does, and b), you will not be certain of what the operator precedence is to one another. Strong of this, you may now do any combination, just like in arithmetic.

Fabien Haddadi
  • 1,814
  • 17
  • 22
0

Problem solved it was actually very simple I should have tried it before ..

but thanks I got my idea just by looking at your answers.

I think it is the beauty of stackoverflow if we could find an exact answer , we can invent it through the discussion. ..

 $ tcpdump -X -s0 protochain 50 or 51
Udit Gupta
  • 3,162
  • 11
  • 43
  • 71