Guy Harris wrote:
On Jul 31, 2008, at 5:52 AM, U. George wrote:
BUT if i remove the 'port domain' i see all the packets:
[EMAIL PROTECTED] gat]# /usr/sbin/tcpdump -v -n -i eth1 tcpdump:
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
08:49:38.834343 PPPoE [ses 0xea20] [length 48 (4 extra bytes)] IP
(tos 0x0, ttl 236, id 50854, offset 0, flags [DF], proto 6, length:
44) 59.151.50.248.45573 > 71.247.232.63.domain: S [tcp sum ok]
1445792188:1445792188(0) win 8190 <mss 1460>
You're capturing on an Ethernet that's carrying PPPoE traffic.
The filter "port domain" will capture packets that have an Ethernet type
of 0x0800 (IPv4), an IP packet type of UDP or TCP, and a UDP or TCP port
number of 25.
It will not capture *ANY* PPPoE traffic, as it has a different Ethernet
type.
If the DNS requests are on PPPoE, then, at least with a sufficiently
recent version of libpcap, the filter
pppoes and port domain
should capture them. If you want to capture non-PPPoE DNS requests as
well, try
port domain or (pppoes and port domain)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks for the reply,
BUT
why does adding the "PORT" conditional also modify the wild-card aspects
of "ethernet type"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
