On 08/04/2006 14:56, fbsd_user wrote:
> I tried 
>    tcpdump -i rl0 src host -w /usr/tcpdump.data
>    tcpdump -i rl0 host -w /usr/tcpdump.data
>    tcpdump -i rl0 src ip -w /usr/tcpdump.data  
> but got syntax error msg with no hint of what was wrong
> If I remove the -w stuff it works. Meaning it prints to the screen.
> But I want to write to file
> Can you help me out here on the syntax error?

Have a look at 'tcpdump -h' (or man, of course). Expression (i.e. 'src
host') is the last argument. This should work:

tcpdump -i rl0 -w /usr/tcpdump.data src host

> One other thing. When does tcpdump get access to the packet?
> My firewall has a block log rule for that ip address. 
> Does tcpdump see the packet before ipfilter ipnat does?

Yes. I'm not familiar with kernel code, but I can perfectly see all
packets with tcpdump.



Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to