On 08/04/2006 14:56, fbsd_user wrote: > I tried > tcpdump -i rl0 src host 126.96.36.199 -w /usr/tcpdump.data > tcpdump -i rl0 host 188.8.131.52 -w /usr/tcpdump.data > tcpdump -i rl0 src ip 184.108.40.206 -w /usr/tcpdump.data > > but got syntax error msg with no hint of what was wrong > > If I remove the -w stuff it works. Meaning it prints to the screen. > But I want to write to file > > Can you help me out here on the syntax error?
Have a look at 'tcpdump -h' (or man, of course). Expression (i.e. 'src host 220.127.116.11') is the last argument. This should work: tcpdump -i rl0 -w /usr/tcpdump.data src host 18.104.22.168 > One other thing. When does tcpdump get access to the packet? > > My firewall has a block log rule for that ip address. > Does tcpdump see the packet before ipfilter ipnat does? Yes. I'm not familiar with kernel code, but I can perfectly see all packets with tcpdump. HTH, Karol -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org> OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc
Description: OpenPGP digital signature