On Mon, May 06, 2002 at 11:14:07AM -0700, Harry Putnam wrote:
> How does one use the `dir' specifier?
Step 1: read the tcpdump man page using a tool that shows italics as
such, or as underlined. :-)
I.e., there is no specifier in libpcap filters using the word "dir".
"dir" is italicized in the man page, meaning it's not a word you use
literally in filter expressions, it's a "variable" that refers to, in
this case, one of the words "src", "dst", "inbound", and "outbound" (the
latter two of which work only for protocols such as SLIP), as per:
I<dir> qualifiers specify a particular transfer direction
to and/or from I<id>. Possible directions are
`src', `dst', `src or dst' and `src and dst'. E.g.,
`src foo', `dst net 128.3', `src or dst port
ftp-data'. If there is no I<dir> qualifier,
`src or dst' is assumed. For `null' link layers
(i.e. point to point protocols such as slip) the
`inbound' and `outbound' qualifiers can be used to
specify a desired direction.
(where I<xxx> indicates stuff in italics).
> Can someone provide an example?
> There are none in man tcpdump.
Well, there are examples in the man page paragraph above, e.g. "src
foo".
> For example:
> With this command `tcpdump -w FILE -i eth1 host 192.168.1.7'
>
> How would one specify a direction of 192.168.1.7 ==> DESTINATION only.
If by that you mean that the source of the packet should be 192.168.1.7,
and the destination of the packet doesn't matter, then it'd be
tcpdump -w FILE -i eth0 src host 192.168.1.7
or
tcpdump -w FILE -i eth0 src 192.168.1.7
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
