I have the following filter to log "suspicious traffic" to my PC:
icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) || ( (tcp[13] & 3 != 0) && (port not (25 || 80 || 110 || 119 || 6346 || 6347)) ) "windump -dF suspicious.filter" says: (000) ldh [12] (001) jeq #0x800 jt 2 jf 11 (002) ldb [23] (003) jeq #0x1 jt 14 jf 4 (004) jeq #0x11 jt 5 jf 15 (005) ld [26] (006) jeq #0xd90d0788 jt 15 jf 7 (007) jeq #0xd90d0415 jt 15 jf 8 (008) ld [30] (009) jeq #0xd90d0788 jt 15 jf 10 (010) jeq #0xd90d0415 jt 15 jf 14 (011) jeq #0x86dd jt 12 jf 15 ; IPv6 enabled windump (012) ldb [20] (013) jeq #0x11 jt 14 jf 15 (014) ret #96 (015) ret #0 ------------------------------ Why are the tcp SYN/FIN and ports not evaluated? I guess the filter spec is wrong, but what? Gisle V. # rm /bin/laden /bin/laden: Not found - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
