At 05:21 AM 7/8/02, Daniel Nyström wrote:
>the packets roll by to fast.. or to specify.. it logs all packets but I'm
>only interested in a few of them. How do I limit the output
>so that only.. lets say.. UDP packets coming from 192.168.0.33 is shown?
>Or, lets say I want to see the package that BitchX sends bitchx.com at
>the first startup..?
The tcpdump man page ('man tcpdump') has tons of info on how to do
filtering. You'll be wanting to concentrate mainly on the area captioned
'Expressions'. For example, to capture all UDP traffic from 192.168.0.33,
you'd use:
tcpdump src host 192.168.0.33 and ip proto \\udp
To see ALL traffic to or from bitchx.com,
tcpdump host bitchx.com
Read through the examples in the man pages, and *pay* *attention* to the
description of the filters -- there are a few quirks in it, such as the
need to escape (\\) the qualifiers 'udp', 'tcp' or 'icmp' when filtering by
protocol, as these are also keywords. So far, I haven't hit any roadblocks
that weren't explained in the man pages.
As always with UNIX, there are other options. You could always write a
Perl script that pipes in the output of tcpdump and filters that; even
plain old grep and a regular expression could do the job. But why
bother? tcpdump has the (very powerful) functionality built right in.
- Peter Kristolaitis
