[lug] tcpdump syntax

[Zan Lynx]

On Fri, 2003-04-11 at 22:01, D. Stimits wrote:
> I'm trying to port a simple tcp/ip client from windows to linux, and I 
> have most of it compiling, but I need to figure out some 
> newline/carriage return/EOL and login order info, and not getting 
> anywhere. I'm trying to use tcpdump on a linux bridge (device br0), but 
> I'm getting flooded out by my ssh connect and other connects not related 
> to the machine I want to watch. Filtering later with regular expressions 
> and macros works, but is a complete pain since the dump patter is 
> multiline. It looks like tcpdump should be able to dump data only for 
> packets with a source or destination of some particular IP address, 
> e.g., for IP 1.2.3.4, and nothing else, but I am at a loss. The 
> following syntax works for all tcp and does not filter, though it does 
> give the output I want buried in tons of data:
>    tcpdump -n -vv -X -s 0 tcp
> 
> Now according to the tcpdump man page, the final argument to tcpdump can 
> be an expression. I can get the expression to filter with tcp as shown 
> above, but the syntax of anything other than this is failing, giving me 
> a "tcpdump: parse error". I am not interested in the direction of 
> movment, I am interested in all tcp going to or from address (sample) 
> 1.2.3.4. How would I extend this to limit it to only tcp:
>    tcpdump -n -vv -X -s 0 'host 1.2.3.4'

In my copy of the tcpdump man page, it gives a list of every filter
argument you can use.

In your case, I would use:
tcpdump -ln -X tcp and host 1.2.3.4

-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20030411/cf6f2a55/attachment.pgp>