I need to capture on an interface with tcpdump and filter out all arp and stp/rstp packets. I tried this command, which does filter out arp, but I still see rstp packets:
tcpdump -n -i ens224 not arp and not stp
Also tried this, still see rstp packets
tcpdump -n -i ens224 not stp
What am I doing wrong?
I read this post already but its not helpful in the context of tcpdump, looking for specific syntax: how to filter rtsp packets from a pcap file
On
You can filter the well known multicast mac address for each protocol. Look at this table:
https://embeddist.wordpress.com/2015/10/07/well-known-ethernet-multicast-address/ and https://en.wikipedia.org/wiki/Multicast_address#Ethernet
And you can something like this:
(RSTP)
tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cd
(CDP)
tcpdump -n -i <interface> ether host 01:00:0c:cc:cc:cc
(LLDP)
tcpdump -n -i <interface> ether host 01:80:c2:00:00:0e
You are not doing wrong. It's about how libpcap and vendors are reading/writing headers. To remove STP 802.1d lines I use this command:
tcpdump -i eth0 not arp and not llcBest regards