Sounds like you have an old libpcap. Try using this:
tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 'udp[2:2] >= 5060 and udp[2:2] <= 65534' This works on one of my machine that has a libpcap that doesn't support portrange. I guess you can't use macros to define the port range. So, you'll have to reference the header values directly. 0:2 is src port and 2:2 is dst port. Try that. It may work. Or you could try to upgrade libpcap. -------------------------------------------------- Salvatore Giudice [EMAIL PROTECTED] VoIP Security Training, LLC http://VoIPSecurityTraining.com 848 N. Rainbow Blvd. #1676 Las Vegas, NV 89107 Phone: (617) 959-7625 Fax: (214) 279-2906 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CSB Sent: Wednesday, May 02, 2007 4:50 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] OT: Capture Asterisk traffic >I think you want: > > tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp dst portrange > 5060-65534 > Thanks tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst portrange 5060-35000 tcpdump: unknown host 'portrange' tcpdump version 3.8 libpcap version 0.8.3 man tcpdump indicates that I should be able to use >= syntax but it doesn't work as expected. Any further advice appreciated. Cameron _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
