[lug] tcpdump syntax

[D. Stimits]

Scotty Allen wrote:

> >Now according to the tcpdump man page, the final argument to tcpdump can
> >be an expression. I can get the expression to filter with tcp as shown
> >above, but the syntax of anything other than this is failing, giving me
> >a "tcpdump: parse error". I am not interested in the direction of
> >movment, I am interested in all tcp going to or from address (sample)
> >1.2.3.4. How would I extend this to limit it to only tcp:
> >   tcpdump -n -vv -X -s 0 'host 1.2.3.4'
>
>
> I tend to be perpetually frustrated with tcpdump.  About half the things I
> try seem to be totally kosher according to the man page, only to have
> tcpdump spit back a parse error.  I did come up with the following though,
> which seems to work for what you want:
>
> sudo tcpdump -n -vv -X -s 0 host 1.2.3.4 and tcp

Here is the magic I kept missing on the man page: the "and". Such a 
magic word, could you imagine English without that word?

>
> If you're spending a lot of time packet sniffing, you might want to look
> into using ethereal (either as a command line utility, or a graphical
> utility).

The bridge I am dumping from has no X11, though I could use a -display 
option. What options do I have which runs on console? I probably won't 
install any of the X11 libs just to do a remote display.

D. Stimits, stimits AT attbi DOT com