Dump IP header / Source IP / Destination IP / TTL ************************************************************************ IP Header: 20 octets minimum - 60 octets maximum (RFC 791) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ************************************************************************ Version: 4 bits Version: 4 bits The Version field indicates the format of the internet header. This document describes version 4. IHL: 4 bits Internet Header Length is the length of the internet header in 32 bit words, and thus points to the beginning of the data. Note that the minimum value for a correct header is 5. Total Length: 16 bits Total Length is the length of the datagram, measured in octets, including internet header and data. All hosts must be prepared to accept datagrams of up to 576 octets. The number 576 is selected to allow a reasonable sized data block to be transmitted in addition to the required header information. For example, this size allows a data block of 512 octets plus 64 header octets to fit in a datagram. The maximal internet header is 60 octets, and a typical internet header is 20 octets. Time to Live: 8 bits This field indicates the maximum time the datagram is allowed to remain in the internet system. Protocol: 8 bits This field indicates the next level protocol used in the data portion of the internet datagram. The values for various protocols are specified in "Assigned Numbers" [RFC 790]. Decimal Octal Protocol Numbers ------- ----- ---------------- 1 1 ICMP 6 6 TCP 17 21 User Datagram Header Checksum: 16 bits A checksum on the header only. Since some header fields change (e.g., time to live), this is recomputed and verified at each point that the internet header is processed. The checksum algorithm is: The checksum field is the 16 bit one's complement of the one's complement sum of all 16 bit words in the header. For purposes of computing the checksum, the value of the checksum field is zero. This is a simple to compute checksum and experimental evidence indicates it is adequate, but it is provisional and may be replaced by a CRC procedure, depending on further experience. Source Address: 32 bits The source address. Destination Address: 32 bits The destination address. ************************************************************************ Dump IPv4 packets: server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s15 '(link[14] & 0xf0 == 0x40)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 15 bytes 2022-05-22 12:05:07.703159 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 75: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 2022-05-22 12:05:07.703427 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 45 ..g.8......z..E 2022-05-22 12:05:07.704718 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 2022-05-22 12:05:07.704777 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 75: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 4 packets captured 44 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s15 '(ip[0] & 0xf0 == 0x40)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 15 bytes 2022-05-22 12:05:37.991396 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 45 ..g.8......z..E 2022-05-22 12:05:37.992495 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 2022-05-22 12:05:37.993357 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 2022-05-22 12:05:37.994035 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 84: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 45 .....z..g.8...E 4 packets captured 57 packets received by filter 0 packets dropped by kernel ************************************************************************ Dump UDP packets: 17 Decimal = 11 Hexadecimal server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s24 ip and udp tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 24 bytes 2022-05-25 13:52:15.875969 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 182: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 00a8 1b7c 0000 6811 ...|..h. 2022-05-25 13:52:15.889884 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0043 b878 0000 3911 .C.x..9. 2022-05-25 13:52:15.889996 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 3442 0000 4011 .S4B..@. 2022-05-25 13:52:15.895854 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 120: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 006a 7bcb 4000 3611 .j{.@.6. 4 packets captured 27 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s24 '(ip[0] & 0xf0 == 0x40)' and '(link[23] == 0x11)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 24 bytes 2022-05-25 13:53:01.859639 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 296: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 011a bc83 0000 f511 ........ 2022-05-25 13:53:01.859659 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0043 fbac 0000 6911 .C....i. 2022-05-25 13:53:01.859777 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 159: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0091 bdc9 0000 4011 ......@. 2022-05-25 13:53:01.859840 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 1034: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 03fc d6e0 0000 3711 ......7. 4 packets captured 119 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s24 '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 24 bytes 2022-05-25 13:54:05.994541 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 87: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0049 6a76 0000 7811 .Ijv..x. 2022-05-25 13:54:05.994542 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 87: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0049 6a73 0000 7811 .Ijs..x. 2022-05-25 13:54:05.994879 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0043 ff2d 0000 3911 .C.-..9. 2022-05-25 13:54:05.994961 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 79cb 0000 4011 .Sy...@. 4 packets captured 128 packets received by filter 0 packets dropped by kernel ******************************************************************************** Dump UDP packets with IP source 192.168.19.31: server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 ip and udp and src 192.168.19.31 tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:06:08.371859 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 17672, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f 4508 0000 3711 0fb4 c0a8 131f 550f .OE...7.......U. 0x0020: 060c .. 2022-05-25 14:06:10.363981 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 55, id 18039, offset 0, flags [none], proto UDP (17), length 78) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004e 4677 0000 3711 0e46 c0a8 131f 550f .NFw..7..F....U. 0x0020: 060c .. 2022-05-25 14:06:12.147605 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: (tos 0x0, ttl 55, id 18152, offset 0, flags [none], proto UDP (17), length 82) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0052 46e8 0000 3711 0dd1 c0a8 131f 550f .RF...7.......U. 0x0020: 060c .. 2022-05-25 14:06:13.595890 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 18222, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f 472e 0000 3711 0d8e c0a8 131f 550f .OG...7.......U. 0x0020: 060c .. 4 packets captured 4 packets received by filter 0 packets dropped by kernel UDP 17 = 0x11 IP Octet 192 = 0xc0 IP Octet 168 = 0xa8 IP Octet 19 = 0x13 IP Octet 31 = 0x1f server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 '(link[14] & 0xf0 == 0x40)' and '(link[23] == 0x11)' and '(link[26:2] == 0xc0a8)' and '(link[28:2] == 0x131f)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:04:09.873416 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 7897, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f 1ed9 0000 3711 35e3 c0a8 131f 550f .O....7.5.....U. 0x0020: 060c .. 2022-05-25 14:04:13.091232 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 55, id 8229, offset 0, flags [none], proto UDP (17), length 78) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004e 2025 0000 3711 3498 c0a8 131f 550f .N.%..7.4.....U. 0x0020: 060c .. 2022-05-25 14:04:16.897655 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: (tos 0x0, ttl 55, id 8732, offset 0, flags [none], proto UDP (17), length 82) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0052 221c 0000 3711 329d c0a8 131f 550f .R"...7.2.....U. 0x0020: 060c .. 2022-05-25 14:04:20.676481 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 9026, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f 2342 0000 3711 317a c0a8 131f 550f .O#B..7.1z....U. 0x0020: 060c .. 4 packets captured 4 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and '(ip[12:2] == 0xc0a8)' and '(ip[14:2] == 0x131f)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:31:14.611006 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 41619, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f a293 0000 3711 b228 c0a8 131f 550f .O....7..(....U. 0x0020: 060c .. 2022-05-25 14:31:14.636113 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 55, id 41621, offset 0, flags [none], proto UDP (17), length 78) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004e a295 0000 3711 b227 c0a8 131f 550f .N....7..'....U. 0x0020: 060c .. 2022-05-25 14:31:14.661326 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: (tos 0x0, ttl 55, id 41626, offset 0, flags [none], proto UDP (17), length 82) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 0052 a29a 0000 3711 b21e c0a8 131f 550f .R....7.......U. 0x0020: 060c .. 2022-05-25 14:31:14.688056 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 41628, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f a29c 0000 3711 b21f c0a8 131f 550f .O....7.......U. 0x0020: 060c .. 4 packets captured 4 packets received by filter 0 packets dropped by kernel ******************************************************************************** Dump UDP packets with IP destination 192.168.19.31: server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 ip and udp and dst 192.168.19.31 tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:11:28.038912 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 54103, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 d357 0000 4011 7860 550f 060c c0a8 .S.W..@.x`U..... 0x0020: 131f .. 2022-05-25 14:11:28.061052 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 176: (tos 0x0, ttl 64, id 54108, offset 0, flags [none], proto UDP (17), length 162) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 00a2 d35c 0000 4011 780c 550f 060c c0a8 ...\..@.x.U..... 0x0020: 131f .. 2022-05-25 14:11:28.088976 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 54110, offset 0, flags [none], proto UDP (17), length 86) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0056 d35e 0000 4011 7856 550f 060c c0a8 .V.^..@.xVU..... 0x0020: 131f .. 2022-05-25 14:11:28.110942 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 54111, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 d35f 0000 4011 7858 550f 060c c0a8 .S._..@.xXU..... 0x0020: 131f .. 4 packets captured 4 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 '(link[14] & 0xf0 == 0x40)' and '(link[23] == 0x11)' and '(link[30:2] == 0xc0a8)' and '(link[32:2] == 0x131f)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:12:38.788762 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 59714, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 e942 0000 4011 6275 550f 060c c0a8 .S.B..@.buU..... 0x0020: 131f .. 2022-05-25 14:12:38.814277 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 176: (tos 0x0, ttl 64, id 59719, offset 0, flags [none], proto UDP (17), length 162) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 00a2 e947 0000 4011 6221 550f 060c c0a8 ...G..@.b!U..... 0x0020: 131f .. 2022-05-25 14:12:38.839860 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 59721, offset 0, flags [none], proto UDP (17), length 86) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0056 e949 0000 4011 626b 550f 060c c0a8 .V.I..@.bkU..... 0x0020: 131f .. 2022-05-25 14:12:38.864189 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 59723, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 e94b 0000 4011 626c 550f 060c c0a8 .S.K..@.blU..... 0x0020: 131f .. 4 packets captured 4 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and '(ip[16:2] == 0xc0a8)' and '(ip[18:2] == 0x131f)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:29:52.085159 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 65425, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 ff91 0000 4011 4c26 550f 060c c0a8 .S....@.L&U..... 0x0020: 131f .. 2022-05-25 14:29:52.111503 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 176: (tos 0x0, ttl 64, id 65431, offset 0, flags [none], proto UDP (17), length 162) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 00a2 ff97 0000 4011 4bd1 550f 060c c0a8 ......@.K.U..... 0x0020: 131f .. 2022-05-25 14:29:52.138007 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 65437, offset 0, flags [none], proto UDP (17), length 86) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0056 ff9d 0000 4011 4c17 550f 060c c0a8 .V....@.L.U..... 0x0020: 131f .. 2022-05-25 14:29:52.249774 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 65459, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 ffb3 0000 4011 4c04 550f 060c c0a8 .S....@.L.U..... 0x0020: 131f .. 4 packets captured 5 packets received by filter 0 packets dropped by kernel ******************************************************************************** Dump UDP packets with IP source or destination 192.168.19.31: server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s34 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and \( \( '(ip[12:2] == 0xc0a8)' and '(ip[14:2] == 0x131f)' \) or \( '(ip[16:2] == 0xc0a8)' and '(ip[18:2] == 0x131f)' \) \) tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 34 bytes 2022-05-25 14:39:29.411042 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 55, id 31213, offset 0, flags [none], proto UDP (17), length 79) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004f 79ed 0000 3711 dace c0a8 131f 550f .Oy...7.......U. 0x0020: 060c .. 2022-05-25 14:39:29.411101 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 49255, offset 0, flags [none], proto UDP (17), length 83) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 0053 c067 0000 4011 8b50 550f 060c c0a8 .S.g..@..PU..... 0x0020: 131f .. 2022-05-25 14:39:29.436149 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 55, id 31217, offset 0, flags [none], proto UDP (17), length 78) 192.168.19.31 > 85.15.6.12: [|udp] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 4500 .....z..g.8...E. 0x0010: 004e 79f1 0000 3711 dacb c0a8 131f 550f .Ny...7.......U. 0x0020: 060c .. 2022-05-25 14:39:29.436228 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 176: (tos 0x0, ttl 64, id 49260, offset 0, flags [none], proto UDP (17), length 162) 85.15.6.12 > 192.168.19.31: [|udp] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 4500 ..g.8......z..E. 0x0010: 00a2 c06c 0000 4011 8afc 550f 060c c0a8 ...l..@...U..... 0x0020: 131f .. 4 packets captured 10 packets received by filter 0 packets dropped by kernel