On Mon, May 28, 2001 at 02:36:17PM -0700, Bill Fenner wrote:
> This:
>
> >[root@routeur snortsnarf]# tcpdump not port ssh -i ppp0
> >tcpdump: listening on ppp0
>
> makes me think that you're not using a tcpdump from tcpdump.org, since
> that command line is a syntax error to any tcpdump.org tcpdump version
> that I know about.
Yes, the standard tcpdump requires that the capture filter come *after*
command-line flags such as "-i ppp0".
And he may be doing it on a Linux system, as:
> >[root@routeur snortsnarf]# tcpdump -i ppp0 not port ssh
> >tcpdump: listening on ppp0
> >17:19:05.703592 1.2.3.4.ssh > 5.6.7.8.murray: P
> >1752260781:1752260801(20) ack 3009532 win 5808 (DF) [tos 0x10]
> >
> >1 packets received by filter
> >0 packets dropped by kernel
looks like another case where the capture starts before the packet
filter is added to the PF_PACKET socket (although there might be other
platforms on which adding a kernel packet filter to a device/socket
doesn't flush the packet buffer).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
