I recently wanted to look at some packet captures on my NTP pool servers and find out if any NTP clients hitting my servers use extension fields or legacy MACs. Because the overall number of NTP packets is quite large, I didn’t want to spool all NTP packets to disk then later filter with a Wireshark display filter – I wanted to filter at the capture stage.
I started searching and found that not many quick guides exist to do this in the capture filter. However, the capability is there in both tcpdump and tshark, using either indexing into the UDP header, or using the overall captured frame length. Here’s an example of tcpdump doing the former (displaying it to the terminal), and tshark doing the latter (writing it to a file):
tcpdump -i eth0 -n -s 0 -vv 'udp port 123 and udp[4:2] > 56' tshark -i eth0 -n -f 'udp port 123 and greater 91' -w file.pcap
Both of the above filters are designed to capture NTP packets greater than the most common 48-byte UDP payload. In the case of udp[4:2], we’re using the UDP header’s 16-bit length field, which includes the header itself. In the case of greater, it uses the overall captured frame length, and actually means greater-than-or-equal-to (i.e. the same as the >= operator); see the pcap-filter(7) man page for more details.