tcpdump filter for out/in traffic

Daniel O'Connor doconnor at
Sun Jan 4 23:36:27 UTC 2009

On Monday 05 January 2009 02:26:38 Eugene Grosbein wrote:
> On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote:
> > There will be very usefull to have options for tcpdump to monitor
> > incomint or outgoing traffic regardless of src/dst IPs or ports or
> > protocol
> >
> > For example:
> >
> > kes# tcpdump -n -i rl4 out
> > EXPECTED: show traffic outgoing on rl4
> > ACTUAL: tcpdump: syntax error
> >
> > kes# tcpdump -n -i rl4 in
> > EXPECTED: show traffic incoming on rl4
> > ACTUAL: tcpdump: syntax error
> Hi!
> I use following trick for that:
> tcpdump -n -p -i rl4 ether src me-rl4     # for outgoing
> tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming
> And add MAC-address of rl4 to /etc/ethers with name 'me-rl4'
> or just 'me' if you need not watch other interfaces this way.

I think it's more a question for the tcpdump maintainers.

Also, in & out don't necessarily mean traffic from your MAC address or the 
inverse. eg if you are running a bridge then in & out will mean something 

Daniel O'Connor software and network engineer
for Genesis Software -
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :

More information about the freebsd-hackers mailing list