how can I dump only outgoing IP packets in tcpdump?

4
votes

I'm dumping outgoing traffic. I only want TCP and UDP packets destined outside my LAN, nothing else. I just used the following filter with tcpdump:

ip and (tcp or udp) and (not icmp) and src host myIPAddr and not dst net myNet/myNetBits and not ip broadcast

But I captured the following packet:

###[ Ethernet ]###
  dst       = ff:ff:ff:ff:ff:ff
  src       = 00:1e:4a:e0:9e:00
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:1e:4a:e0:9e:00
     psrc      = X.X.X.X
     hwdst     = 00:00:00:00:00:00
     pdst      = Y.Y.Y.Y
###[ Padding ]###
        load      = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

What happened here? I thought I was dumping only IP packets.

2
ippacketpacket-capturetcpdumparp

2 Answers

4
votes

Set filtering on your host as a source:

tcpdump src <YOUR_IP>
1
votes

From looking at your dump you received ARP packet with IP protocol type (i.e. ptype = 0x800). You should filter out also ARP packets and (not arp) and that should cleanup your dump. I think if you look at the tcpdump code you will find the reason why it keeps also these specific ARP packets (but since IP uses these packets for network resolution I guess these ARP packets are considered part of IP by tcpdump).

Kind regards,
Bo