On Jul 19, 2007, at 9:07 AM, [EMAIL PROTECTED] wrote: > be sure you donĀ“t want to say: > > tcpdump -i eth0 -s 0 -w dump (host 192.168.0.1 or host 192.168.0.2) > and port 443
To quote the tcpdump man page: host host True if either the IPv4/v6 source or destination of the packet is host. ... port port True if either the source or destination port of the packet is port. This means that "host 192.168.0.1 and host 192.168.0.2 and port 443" means "(the source or destination host is 192.168.0.1) and (the source or destination host is 192.168.0.2) and (the source or destination port is 443)". That matches all traffic that's either: from 192.168.0.1 and to 192.168.0.1; from 192.168.0.1 and to 192.168.0.2; from 192.168.0.2 and to 192.168.0.1; from 192.168.0.2 and to 192.168.0.2; and that's to or from port 443. This also means that "(host 192.168.0.1 or host 192.168.0.2) and port 443" means "((the source or destination host is 192.168.0.1) or (the source or destination host is 192.168.0.2)) and (the source or destination port is 443)". That matches all traffic that's either: from 192.168.0.1; to 192.168.0.1; from 192.168.0.2; to 192.168.0.2; and that's to or from port 443. The first of those doesn't, for example, match traffic from 192.168.0.1 to 216.34.131.135; it only matches traffic between 192.168.0.1 and 192.168.0.2, traffic from 192.168.0.1 to itself (if that can be captured on eth0, which it probably can't), and traffic from 192.168.0.2 to itself (again, if that can be captured on eth0, which it probably can't). The second of those does match, for example, traffic from 192.168.0.1 to 216.34.131.135. (All of this also applies to Wireshark/TShark, of course, as they use the same capture filter compiler and so on.) _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users