On Jul 31, 2008, at 11:29 AM, U. George wrote:
if i say this:
tcpdump -n -v -i eth1
i get a log of: ether type * and port *, ie the PPPoE data.
What you get is a log of "*", i.e. all data. "port *" is irrelevant;
not all packets that would match "ether type *" *HAVE* a port number.
If i say
tcpdump -n -v -i eth1 port domain
i get a filter of ether (type UDP or TCP) and port domain, and no
PPPoE data
"port domain" is equivalent to "tcp port domain or udp port domain",
which is equivalent to "(tcp or udp) and "(tcp port domain or udp port
domain)", which is equivalent to "ip and (tcp or udp) and (tcp port
domain or udp port domain)".
For better or worse, "ip" on Ethernet is equivalent to "ether type
ip", so "port domain" is equivalent to
"ether type ip and (tcp or udp) and (tcp port domain or udp port
domain)".
For better or worse, "ip" doesn't check for every single possible type
of IP traffic you could have on an Ethernet; it doesn't check for raw
IP-over-Ethernet and IP-over-PPPoE-over-Ethernet and IP-over-VLAN-over-
Ethernet and.... Were it to do so, the filter would be more
complicated, meaning more CPU time for filtering, and the current code
for compiling filters into BPF code might need some significant changes.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
