On Mon, Sep 12, 2005 at 01:03:39PM -0400, stan wrote:
>
> I've captured a bit of data as pflog files. Then I've processed these files
> with:
>
> tcpdump -n -e -tttt
>
> Which results in data records like this:
>
> 2005-09-08 20:26:40.328379 rule 5/0(match): pass out on fxp0: IP
> 170.85.113.49.3
> 092 > 170.85.107.35.1500: . 1460:2920(1460) ack 1 win 63947
>
> This has most of the data that I need, but it seems to be missing one thing
> that I think is important. How can I determine if the traffic is
> TCP/UDP/ICMP etc?
>
> Reading the tcpdump man page did not lead me to an answer.
>
`proto' is documented as one of the three types of qualifiers in
tcpdump(8). so you could:
tcpdump -nettt icmp
or so on. (you may have to escape the protocols)
jmc
