[vox-tech] tcpdump help was: packet sniffer help

Joel Baumert vox-tech@lists.lugod.org
Mon, 11 Feb 2002 22:43:12 -0800


You can try "tcpdump -i eth1 -F filterfile"  I am pretty sure this
will read the arguments stuff from the filter file and go around the
helpful shell.

If you want to look at the actual data add the "x" option...

tcpdump -xi eth1 host 10.10.6.103

Also sometimes I see a delay as the name server times out for the
reverse lookup... To get around this add the n option.

tcpdump -nxi eth1 host 10.10.6.103

I know you like the command line, but give some serious consideration
to running Ethereal.  It allows you to visually drill down on the
packet and highlights the portions of the payload for a selected
field in a protocol.  It also lets you follow a stream so, for 
example you could follow a telnet stream and see what went back and
forth between each side in text... It was _really_ useful when I 
debug HTTP or other high level protocols.

Joel

On Mon, Feb 11, 2002 at 05:46:01PM -0800, Peter Jay Salzman wrote:
> joel, i'm having trouble with tcpdump.  can you clear something up for
> me?   suppose i wanted to look at two (destination) ports at the same
> time.  this doesn't work:
> 
> 	tcpdump -i eth0 dst port 25906 && dst port 27950
> 
> i think the shell is trying to interpret the &&.
> 
>    satan# tcpdump -i eth0 dst port 25906 && dst port 27950
>    tcpdump: listening on eth0
>    <ctrl-c>  
>    0 packets received by filter
>    0 packets dropped by kernel
>    bash: dst: command not found
> 
> i replaced && with "and".  i added a "--".  tried quoting the whole
> argument with ''.  nothing seems to be working.  how does one go about
> "anding" conditions with tcpdump?
> 
> also, is there a way to look at the packet payload?  i'm not much
> interested in the raw packet themselves.   any way to peek at the
> contents using tcpdump?
> 
> pete
> 
> 
> begin Joel Baumert <kender@geeksource.net> 
> > If you want a graphical one Ethereal is really nice.  I alternate
> > between that, tcpdump, and ngrep.  Be aware that you may not be
> > able to sniff on a switched network unless you are the source or
> > destination of the packets.