On Mon, Jul 08, 2002 at 11:21:07AM +0200, Daniel Nystrm wrote: > Hello.. > > when I start tcpdump by just issuing > > bash# tcpdump > > or > > bash# tcpdump -i eth1 > > the packets roll by to fast.. or to specify.. it logs all packets but > I'm only interested in a few of them. How do I limit the output > so that only.. lets say.. UDP packets coming from 192.168.0.33 is shown? > Or, lets say I want to see the package that BitchX sends bitchx.com at > the first startup..? > > > Thanks in advance, > > Daniel > > > -- > > > /*********************************** > * Daniel Nyström, Telhack 026 Inc. * > ***********************************/ > > http://www.SweSec.tk > http://www.telhack.tk >
The short answer to your question is to read the man page, it gives a decent description of the bpf filter strings and how you can use them. Without going into a lot of detail you probably want to use the host (or src or dst) arguments. Example: tcpdump -i ep0 -e host 192.168.1.1 (this will show all packets to and from 192.168.1.1 and include layer 2 information). I often use the -w file to write the output later to a file and then use tcpshow to read that file and will often just grep through it. Either way, what you are looking for is in the tcpdump man page. -- WXS Wesley Shields
