11

I'm trying to set up tcpdump to filter only gratuitous ARP's. I know that I need to search for packets with a host set to ff:ff:ff:ff:ff:ff. And I found the arp.opcode parameter, but I can't seem to get it to work. For example, this:

tcpdump -i wm0 arp and arp.opcode == 2

returns a syntax error.

Can anyone shed some light on this?

Thanks,

Jason M.

Teun Vink
  • 17,233
  • 6
  • 44
  • 70
Jason Mitchell
  • 113
  • 1
  • 1
  • 5
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. – Ron Maupin Jan 05 '21 at 22:54

1 Answers1

14

In the usual tcpdump for Unix systems, only some fields are known by their name.

Try specifying the opcode field by offset and size, and comparing with 2 ("reply")

tcpdump -i eth99 arp and arp[6:2] == 2

For broadcasts with opcode "reply", which should be just the gratuitous ARPs:

tcpdump -i eth99 broadcast and arp and arp[6:2] == 2
jonathanjo
  • 16,234
  • 2
  • 24
  • 54
  • Thanks! I was hoping that their were things like tcpflags, but there aren't. You're answer is very close though. – Jason Mitchell Jun 27 '19 at 18:32
  • 2
    For anyone curious about the array syntax, arp[6:2] means 6th byte offset - capture 2 bytes - so offset 6 + offset 7. – Saad Malik Sep 18 '20 at 13:48