>My syntax is tcpdump dst port XXXX and port XXXX, although it reports it is >listening it reports no packets (but when only one port is entered it is >fine). Are the two XXXX's different or the same? If they're the same, this filter optimizes to just "dst port XXXX", since "port XXXX" is equivalent to "dst port XXXX or src port XXXX", and since you already specified "dst port XXXX" the "and port XXXX" is irrelevant. Otherwise, it optimizes to "dst port XXXX and src port YYYY", so if that's not what you're trying to capture that may be why you're not seeing anything. I don't know what you're trying to debug, but often the source port is arbitrarily allocated so you may have trouble picking the right number for your command. >Also is it possible to have tcpdump report the originating TCP address >rather than its resolved one?? What do you mean by "originating TCP address" and "resolved one"? If you mean IP address vs hostname, use "-n". If you mean absolute TCP sequence numbers vs. relative, use "-S". Bill - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
