From: Jim March <>
> I've looked the manual over for tcpdump:
tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
        [ -C file_size ] [ -F file ]
        [ -i interface ] [ -w file ]

...does that make it any clearer?

> jim@jim-lappy:~$ sudo tcpdump -s 0 -w -i file.pca host
> tcpdump: syntax error

"-w file.pcap -i wlan0" != "-w -i file.pcap".  Order of args matters when
options take args, as -w and -i do.  I thought this was common knowledge.

> jim@jim-lappy:~$ sudo tcpdump -s 0 -w -i any file.pca host
> tcpdump: syntax error

Yeah, because there's no filename for -w.

> jim@jim-lappy:~$ sudo tcpdump -s 0 -w -i any file.pca
> tcpdump: syntax error

Same again, and file.pca isn't a valid expression for "which packets to

> The man page doesn't give enough examples to tell me how to do this.
> Dangit...any idea what the exact syntax might be?

Most man pages don't have enough examples.  The command you want is "tcpdump
-s 0 -w file.pca -i wlan0 host", and I was *trying* to get you to
figure that out for yourself, but I thought you knew more about using
command-line programs than you did.  I'm still not convinced that that IP is
correct, since I don't know how you've set up your virtualbox, but you may be
able to narrow it down.  Just start a capture with no filter, then in the VM,
ping on the wide Net, then stop the capture and look for where
those ICMP packets directed to are coming from.  It *should*

> I tried using Wireshark with sudo.  Bingo.

Well, except for the lack of a host filter causing you to find a bunch of
other stuff (other user going to facebook) that didn't relate to your malware
question.  This was a win... *this* time.  The thing is, when I'm doing work
with tcpdump, I have to filter by host and port, or I get far too many useless
packets mixed in with the stuff I'm actually looking for.

Matt G / Dances With Crows
The Crow202 Blog:
There is no Darkness in Eternity/But only Light too dim for us to see

PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:

Reply via email to