Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 08 Apr 2006 15:19:24 +0200
From:      Karol Kwiatkowski <freebsd@orchid.homeunix.org>
To:        fbsd_user@a1poweruser.com
Cc:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject:   Re: help with tcpdump cmd syntax
Message-ID:  <4437B85C.8020408@orchid.homeunix.org>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGCEGEHEAA.fbsd_user@a1poweruser.com>
References:  <MIEPLLIBMLEEABPDBIEGCEGEHEAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1C9D79AF3435177E0C5D9E47
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 08/04/2006 14:56, fbsd_user wrote:
> I tried=20
>    tcpdump -i rl0 src host 218.166.163.180 -w /usr/tcpdump.data
>    tcpdump -i rl0 host 218.166.163.180 -w /usr/tcpdump.data
>    tcpdump -i rl0 src ip 218.166.163.180 -w /usr/tcpdump.data =20
>=20
> but got syntax error msg with no hint of what was wrong
>=20
> If I remove the -w stuff it works. Meaning it prints to the screen.
> But I want to write to file
>=20
> Can you help me out here on the syntax error?

Have a look at 'tcpdump -h' (or man, of course). Expression (i.e. 'src
host 218.166.163.180') is the last argument. This should work:

tcpdump -i rl0 -w /usr/tcpdump.data src host 218.166.163.180


> One other thing. When does tcpdump get access to the packet?
>=20
> My firewall has a block log rule for that ip address.=20
> Does tcpdump see the packet before ipfilter ipnat does?

Yes. I'm not familiar with kernel code, but I can perfectly see all
packets with tcpdump.

HTH,

Karol

--=20
Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc


--------------enig1C9D79AF3435177E0C5D9E47
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEN7hjezeoPAwGIYsRAvUTAJ0c35QHZ+frGEG7qVxREI5IrWs3tQCfesp6
Obtgv5DBgRn7qH+9+2AxkbU=
=qST/
-----END PGP SIGNATURE-----

--------------enig1C9D79AF3435177E0C5D9E47--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4437B85C.8020408>