I have a server that is receiving traffic from a mirror port on a switch. The interface that is connected to this mirror port is in promisc mode. When I use just a plain catch all tcpdump on the interface, like
tcpdump -nn -i eth1
I see a ton of traffic. I can even grep this for certain things like, say, port 443.
tcpdump -nn -i eth1 | grep 443
obviously this shows anything that has a 443 in it, not just port 443. I have visually inspected it and I do see stuff like this:
15:08:08.112550 IP 12.34.56.78.1430 > 87.65.43.21.443: . ack 35124 win 32768
But I want just port 443 so…
tcpdump -nn -i eth1 port 443
...
0 packets captured
Weird. I am not seeing any traffic when I use a filter. I have tried "ip port", "dst port", and a few other filters. I have also tried filtering by the IP instead of port. Nothing.
eth1 Link encap:Ethernet HWaddr 00:24:81:A5:AD:7A
inet6 addr: fe80::224:81ff:fea5:ad7a/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:4114781478 errors:0 dropped:1 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2240970313430 (2.0 TiB) TX bytes:15155497 (14.4 MiB)
Interrupt:98 Memory:fa000000-fa012800
This interface has seen a ton of traffic. And my filter is valid, right? Why do I not see anything?
Best Answer
A possible reason is that tcpdump has received a packet which is either encapsulated into another protocol or a frame wich for example has been tagged with a VLAN ID.
You do not see this in
tcpdump's output as you have not specified any verbosity arguments, but your filter does not match as yourport 443would basically implynot vlan and (proto tcp or proto udp) and port 443.You also could verify this by dumping the frame in hex using
-xxand analyzing the frame data. If you know the VID in question, simply addand vlan <VID>to your filter to get the packets captured.