From 2b40b78166e46231f13a396d289b3980fedb9d4f Mon Sep 17 00:00:00 2001
From: Denys Fedoryshchenko <denys.f@collabora.com>
Date: Tue, 31 Oct 2023 03:22:06 +0200
Subject: [PATCH] Articles and pcap

---
 PPPOE_misc_tricks.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/PPPOE_misc_tricks.md b/PPPOE_misc_tricks.md
index 65b8e46..855af5e 100644
--- a/PPPOE_misc_tricks.md
+++ b/PPPOE_misc_tricks.md
@@ -48,6 +48,17 @@ Which means:
 * -vvv - verbose output
 * -c 100 - capture 100 packets and exit
 
+## pcap filters
 
+You can use various pcap filters in trafw, iptop and tcpdump.
+For example if you want to see only traffic from subnet 8.8.8.0/24 and source port 53 you can use:
+```
+# to show total traffic for this filter
+trafw ppp0 "src net 8.8.8.0/24 and src port 53" ppp0 "src net 8.8.8.0/24 and src port 53" 1
+# to show top consumers of such traffic
+iptop eth0 "src net 8.8.8.0/24 and src port 53" 10000 dst
+# to capture such traffic and see each packet, only 100 packets
+tcpdump -ni ppp185 -vvv -c 100 "src net 8.8.8.0/24 and src port 53"
 
-
+More info, in articles:
+https://iphelix.medium.com/packet-filtering-techniques-84fc3fc2ea3b