Re: [tcpdump-workers] Newbie user question: Getting packets from
(blah blah blah wrong from address blah blah blah duplicate message dissector blah blah blah time to see whether I can configure Thunderbird to automatically set the from address for tcpdump-workers messages blah blah blah) KEVIN ZEMBOWER wrote: www:~# tcpdump src host centernet.jhuccp.org and ip proto \\tcp or \\udp The tcpdump man page says: Primitives may be combined using: A parenthesized group of primitives and operators (paren- theses are special to the Shell and must be escaped). Negation (`!' or `not'). Concatenation (`' or `and'). Alternation (`||' or `or'). Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit and tokens, not juxtaposition, are now required for concatenation. That perhaps doesn't state it as clearly as it could, but it means that and has higher precedence than or, which means that src host centernet.jhuccp.org and ip proto \\tcp or \\udp means (src host centernet.jhuccp.org and ip proto \\tcp) or \\udp which means that it matches packets that are either TCP packets from host centernet.jhuccp.org or UDP packets which means you'll see UDP packets regardless of whether they're from host centernet.jhuccp.org or not - which is why you're seeing those DNS packets. Try src host centernet.jhuccp.org and (ip proto \\tcp or \\udp) instead. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Newbie user question: Getting packets from
KEVIN ZEMBOWER wrote: As you can see, I'm still getting packets from ns1.jhmi.edu on the DNS port. What does the command tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) print? If it helps, I'm using bash 2.05 on a Debian woody (stable, 3.0) distro running kernal 2.4.18. The bash and kernel versions probably aren't the most important version numbers - the libpcap version is. What does tcpdump -h print? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Newbie user question: Getting packets from
Output is: [EMAIL PROTECTED]:~$ su - Password: www:~# tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) (000) ldh [12] (001) jeq #0x800 jt 2jf 8 (002) ld [26] (003) jeq #0xa281e1c0 jt 4jf 8 (004) ldb [23] (005) jeq #0x6 jt 7jf 6 (006) jeq #0x11jt 7jf 8 (007) ret #96 (008) ret #0 www:~# tcpdump src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) tcpdump: listening on eth0 15:33:05.757014 virtual.jhuccp.org.59313 ns1.jhmi.edu.domain: 37894+ ? centernet.jhuccp.org. (38) (DF) 15:33:05.758609 ns1.jhmi.edu.domain virtual.jhuccp.org.59313: 37894* 0/1/0 (97) (DF) 15:33:05.758927 virtual.jhuccp.org.59313 ns1.jhmi.edu.domain: 37895+ A? centernet.jhuccp.org. (38) (DF) 15:33:05.765150 ns1.jhmi.edu.domain virtual.jhuccp.org.59313: 37895* 1/2/2 A 162.129.225.192 (130) (DF) 4 packets received by filter 0 packets dropped by kernel www:~# tcpdump -h tcpdump version 3.6 libpcap version 0.6 Usage: tcpdump [-adeflnNOpqStuvxX] [-c count] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] www:~# Thanks, again, Guy. -Kevin [EMAIL PROTECTED] 09/27/04 03:32PM KEVIN ZEMBOWER wrote: As you can see, I'm still getting packets from ns1.jhmi.edu on the DNS port. What does the command tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) print? If it helps, I'm using bash 2.05 on a Debian woody (stable, 3.0) distro running kernal 2.4.18. The bash and kernel versions probably aren't the most important version numbers - the libpcap version is. What does tcpdump -h print? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.