I think you want: tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp dst portrange 5060-65534
dst port port True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port. The port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traffic, and port domain will print both tcp/domain and udp/domain traffic). src port port True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. dst portrange port1-port2 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value between port1 and port2. port1 and port2 are interpreted in the same fashion as the port parameter for port. src portrange port1-port2 True if the packet has a source port value between port1 and port2. portrange port1-port2 True if either the source or destination port of the packet is between port1 and port2. Any of the above port or port range expressions can be prepended with the keywords, tcp or udp, as in: -------------------------------------------------- Salvatore Giudice [EMAIL PROTECTED] VoIP Security Training, LLC http://VoIPSecurityTraining.com 848 N. Rainbow Blvd. #1676 Las Vegas, NV 89107 Phone: (617) 959-7625 Fax: (214) 279-2906 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CSB Sent: Tuesday, May 01, 2007 1:32 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] OT: Capture Asterisk traffic I want to capture all my Asterisk traffic (including RTP) and then analyse it. My plan was to use tcpdump and then analyse with Wireshark. The following works: tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 But I want to be a bit more selective: tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port >= 5060 This doesn't capture the RTP traffic. Could anyone advise what I'm doing wrong or suggest a better way? Thanks Cameron _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
