What is a BPF capture filter?

A Berkeley Packet Filter is a low-level expression the kernel uses to decide which packets to hand to tcpdump. Filters combine primitives like host, port and proto with the boolean operators and, or and not, evaluated per packet.

What is the difference between port and portrange?

port 80 matches packets where the source or destination port is 80. portrange 8000-8100 matches any port in that inclusive range. Prefix with src or dst to restrict the direction, e.g. dst port 443.

How do I match TCP flags like SYN?

Use the tcp[tcpflags] accessor: tcp[tcpflags] & tcp-syn != 0 catches any packet with the SYN bit set. To match a SYN-only segment, compare for equality: tcp[tcpflags] == tcp-syn.

How do host and net differ?

host 10.0.0.5 matches a single address as source or destination. net 10.0.0.0/24 matches any address in that subnet. Add src or dst to limit the direction the address must appear in.

Does the filter affect what is captured or displayed?

A BPF capture filter limits what the kernel captures, so non-matching packets are never seen by tcpdump. That differs from Wireshark display filters, which hide already-captured packets after the fact.

tcpdump BPF Filter Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Build tcpdump BPF filters without guessing the syntax

tcpdump uses Berkeley Packet Filter expressions to capture only the traffic you care about. This tool lets you assemble a filter from host, network, port, protocol, direction and TCP-flag primitives, joining them with and/or/not, and includes a reference of the primitives. It runs entirely in your browser.

How it works

A BPF filter is a boolean expression over per-packet primitives. Common primitives are host, net, port, portrange, a bare protocol name (tcp, udp, icmp), and direction qualifiers src/dst. Combine them with and, or and not, using parentheses (quoted in the shell) for grouping:

tcpdump -i eth0 "tcp and host 10.0.0.5 and port 443"
tcpdump -i any "udp port 53 or icmp"
tcpdump -i eth0 "tcp[tcpflags] & tcp-syn != 0 and not net 10.0.0.0/8"

Tips and examples

Always quote the filter expression so the shell does not interpret parentheses, <, > or &.
tcp[tcpflags] & tcp-syn != 0 catches connection attempts; combine with and tcp[tcpflags] & tcp-ack == 0 to find bare SYNs (no ACK).
Use -n to skip DNS resolution and -nn to also skip port-name lookup, keeping the capture fast and the output literal.
Capture filters run in the kernel and drop non-matching packets entirely, unlike Wireshark display filters that only hide captured packets.