I am capturing some packets in my testing. I don't want to capture the packets with same src and dst ip. How can i achieve this?
I tried below
tcpdump -i any '(not src host 10.10.10.10) and (not dst host 10.10.10.10)'
The result packet capture is not satisfying. Because, I have some packets form src host 10.10.10.10 to dst host 10.10.10.20. I need to capture them.
Can someone help me out. Thank you in advance.
You could try:
tcpdump -i any 'not ((src host 10.10.10.10) and (dst host 10.10.10.10))'
And if you correctly apply De Morgan's Theorem, the following is also equivalent:
tcpdump -i any '(not src host 10.10.10.10) or (not dst host 10.10.10.10)'
And if you append tcpdump's -d option to both, you will see that they are in fact equivalent by the resulting compiled packet matching code. I get the following for both:
(000) ldh [14]
(001) jeq #0x800 jt 2 jf 6
(002) ld [28]
(003) jeq #0xa0a0a0a jt 4 jf 13
(004) ld [32]
(005) jeq #0xa0a0a0a jt 12 jf 13
(006) jeq #0x806 jt 8 jf 7
(007) jeq #0x8035 jt 8 jf 13
(008) ld [30]
(009) jeq #0xa0a0a0a jt 10 jf 13
(010) ld [40]
(011) jeq #0xa0a0a0a jt 12 jf 13
(012) ret #0
(013) ret #65535
