On 0, Guy Harris <[EMAIL PROTECTED]> wrote:
> > I have created a tcpdump filter file, and tried to start tcpdump,
> > "tcpdump -p -i eth2 -a -vv -F filters.txt" and I get "tcpdump: parse error".
> > Is this the right way to invoke tcpdump?
>
> Yes, it is...
>
> ...assuming, of course, that the file "filters.txt" contains a valid
> tcpdump filter expression, as documented in the tcpdump man page.
>
> > Also, can I have multiple lines of filter rules in the filter file?
>
> No.
>
> For one thing, tcpdump wouldn't know which of those filters to use, if
> it treated each line as a separate filter.
>
> For another thing, tcpdump *doesn't* treat each line as a separate
> filter; it treats all the text in the file as a *single* filter...
>
> ...which means there's a very good chance that a file with multiple
> lines, on each of which the user had put a filter expression, would get
> a parse error when handed to tcpdump.
>
I just found out with some more experimentation, that you can have multiple
filters with each filter in ( ) and then OR each filter. If one of the filters
(expression) is true then you get the packet dump. This way you can have
multiple filters in one filter file.
Thanks for the help though.
--
Subba Rao
[EMAIL PROTECTED]
http://members.home.net/subba9/
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
