[lug] tcpdump syntax

[Scotty Allen]

> Now according to the tcpdump man page, the final argument to tcpdump can
> be an expression. I can get the expression to filter with tcp as shown
> above, but the syntax of anything other than this is failing, giving me
> a "tcpdump: parse error". I am not interested in the direction of
> movment, I am interested in all tcp going to or from address (sample)
> 1.2.3.4. How would I extend this to limit it to only tcp:
>    tcpdump -n -vv -X -s 0 'host 1.2.3.4'

I tend to be perpetually frustrated with tcpdump.  About half the things I
try seem to be totally kosher according to the man page, only to have
tcpdump spit back a parse error.  I did come up with the following though,
which seems to work for what you want:

sudo tcpdump -n -vv -X -s 0 host 1.2.3.4 and tcp

If you're spending a lot of time packet sniffing, you might want to look
into using ethereal (either as a command line utility, or a graphical
utility).

Good luck,

Scotty

--
Haiku's inventor
must have had seven fingers
on his middle hand