Re: [tcpdump-workers] Can I excude a protocol?
On Oct 31, 2004, at 6:15 PM, Pete Wilson wrote: although do you want to exclude TCP or exclude everything but UDP (or exclude everything but port-161 and port-162 UDP traffic)? Well, since you ask :-) Yes, sure. Then that's where the If you want to see all UDP traffic to and from particular hosts *on a particular UDP port*, use (ip host node1 or node2 or node3) and udp port N. If you want, for example, UDP traffic to or from port 161, do (ip host node1 or node2 or node3) and udp port 161 - but, in that case, you can probably say udp port snmp rather than udp port 161. If you want traffic to or from two particular ports, use (ip host node1 or node2 or node3) and (udp port port1 or port2) - which can probably be udp port snmp or udp port snmptrap if you want ports 161 and 162. from my earlier message would be used - that'd show only UDP port-161 and port-162 traffic (i.e., only putative SNMP traffic, although there could, I guess, be SNMP traffic on non-standard ports, or non-SNMP traffic on the official SNMP ports). If you want to exclude everything but UDP (which would give you non-SNMP traffic), that's where the If you want to see all *UDP* traffic to and from particular hosts, use (ip host node1 or node2 or node3) and udp. from my earlier message would be used. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Can I excude a protocol?
I'm a new user of tcpdump, so please forgive these few amateur questions. 1. I need to look at SNMP traffic, so I issue: node2:/root#tcpdump udp host node1 or node2 or node3 tcpdump: 'udp' modifier applied to host node2:/root# What am I doing wrong? I'm using ip instead of udp at the mo and that works, of course. 2. I want to exclude certain protocols, like TCP. Is there any way to do it? I note that host takes logical operations. Anything like that for proto? Thanks! = -- Pete Wilson http://www.pwilson.net/ - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Can I excude a protocol?
Pete Wilson wrote: I'm a new user of tcpdump, so please forgive these few amateur questions. 1. I need to look at SNMP traffic, so I issue: node2:/root#tcpdump udp host node1 or node2 or node3 tcpdump: 'udp' modifier applied to host UDP doesn't know about hosts - that's IP's responsibility. UDP only knows about ports. If you want to see all traffic to or from particular hosts, use ip host node1 or node2 or node3. If you want to see all *UDP* traffic to and from particular hosts, use (ip host node1 or node2 or node3) and udp. If you want to see all UDP traffic to and from particular hosts *on a particular UDP port*, use (ip host node1 or node2 or node3) and udp port N. If you want, for example, UDP traffic to or from port 161, do (ip host node1 or node2 or node3) and udp port 161 - but, in that case, you can probably say udp port snmp rather than udp port 161. If you want traffic to or from two particular ports, use (ip host node1 or node2 or node3) and (udp port port1 or port2) - which can probably be udp port snmp or udp port snmptrap if you want ports 161 and 162. 2. I want to exclude certain protocols, like TCP. Is there any way to do it? I note that host takes logical operations. Anything like that for proto? (ip host node1 or node2 or node3) and not tcp although do you want to exclude TCP or exclude everything but UDP (or exclude everything but port-161 and port-162 UDP traffic)? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
