This godawful mess is a packet filter for tshark, the command line companion of the Wireshark sniffer. The goal with this thing is to be able to listen to all traffic on a Linux machine’s network interface, while ignoring all the chatty network related protocols.
tshark -i $1 -f "not icmp6 and not arp and not stp and not igmp and \
(ether[0] != 0x01 or ether[1] != 0x80 \
or ether[2] != 0xc2 or ether[3] !=0x00 \
or ether[4] != 0x00 or ether[5] != 0x0e) and not proto 112 \
and not (port 67 or port 68 or port 546 or port 547) \
and not (udp and dst host 239.192.152.143 and dst port 17500) \
and not udp port 32768 and not ether proto 0x01ff \
and not (icmp6 and ip6[40] == 130) \
and not port 22"
If you’ve got a VPS somewhere you should turn on an unfiltered tshark session and look at the madness that is 21st century switched ethernet. When I do this there are a veritable blizzard of frames, it’s utterly unusable. The simple solution would be to filter for just the ports/protocols you want to see … but what if you’re not sure what you’re looking for in the first place?
Being old and set in my ways, I used to just pipe the output from tshark to grep in order to ignore things. That’s messy to manage and if for some reason you need a pcap file from the host so you can dig in with Wireshark on your desktop it’s a nonstarter. This script cures that deficit.
I wrote the first and last lines from memory, all the rest of that stuff is solutions ChatGPT offered for specific protocols. The one with 17500 in it stifles the constant chatter of Dropbox local sync and proto 0x01ff shuts down noisy Nortel switch announcements. I think some of that other stuff is for Juniper switching gear. It’s weird to use remote systems and not see Cisco everywhere; there was a time where they were 75% of all internet infrastructure.
If you want to get good at this stuff, there’s a thirty some year old book called TCP/IP Illustrated Volume 1 that you need to read. The “illustrated” is funny, there are very few line drawings in it, the nature of the illustration is lots and lots of tcpdump output. That’s an old packet capture utility that isn’t as easy to use as tshark.
Don’t ask why I’ve been up since 0300 wrenching on this stuff … because I’m not sure myself. This is one of those “known unknowns” kinda mornings …