So for example, tcp=26 becomes tcp&0xf0)>4)*4)+2:2]=26, etc.īecause the MQTT remaining message length field is variable-length encoded per MQTT3.1.1 section 2.2.3 Remaining Length, the filter, as provided above, will only work for values of the remaining length field from 0 to 127, i.e., the remaining length field must only be a single byte. If you want a more robust solution to accommodate any TCP header size, then you'll need to determine the TCP header size from the data offset field of the TCP header, which is done in the filter using ((tcp&0xf0)>4)*4, and then replace every occurrence of 20 in the slice operator's offset field with that value. The filter assumes TCP headers are 20 bytes for simplicity in illustrating the solution, but that may not be the case. You can even apply this same filter to the tshark solution too if you prefer as well as writing to the named capture file, because as I explained earlier, tshark is writing packets to a file whether you explicitly specify one or not. Here, you'll end up with a capture file of the desired packets that you can reference later on if you need to. It should be obvious from the description of the desired filter above what each separate component of the filter is doing for you. Here's a command that should work (at least in most cases -> see caveats below): tcpdump -i team0 -w mqtt-trace.pcap \
Just because a capture file name wasn't specified doesn't mean that packets aren't being written to a file they are. This means that you're capturing the same amount of data as you were before.
If you're trying to limit the size of the capture file, then the previously accepted answer isn't doing that because it uses the exact same capture filter as was originally provided, namely src 10.x.x.x. The original question stated, "But it results in very big file within minutes, Can i filter tcpdump on base of topic name"
I don't think the previously accepted answer necessarily does what you think it does and possibly not even what you want it to do. I am capturing MQTT traffic for troubleshooting using below command tcpdump -i team0 -w mqtt-trace.pcap src 10.x.x.xīut it results in very big file within minutes, Can i filter tcpdump on base of topic nameįollowing is tcp payload, I want it only capture payload which has PKGCTRL/1/status/frequency or if tcpdump can directly support filter on application layer protocol like wireshark mqtt.topic = PKGCTRL/1/status/frequency 0000 00 13 95 36 2e ef 00 10 7e 07 87 3d 08 00 45 00.