Perhaps not a linux specific issue, but I thought I'd start here.
According to the tcpdump man page:
ether proto protocol
True if the packet is of ether type protocol. Protocol
can be a number or one of the names ip, ip6, arp, rarp,
atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp,
ipx, or netbeui. Note these identifiers are also key-
words and must be escaped via backslash (\).
So according to that, this should work:
[root@orbital tmp]# tcpdump -n -vvv ether proto \stp
tcpdump: parse error
Two slashes gets me a higher level error:
[root@orbital tmp]# tcpdump -n -vvv ether proto \\stp
tcpdump: unknown ether proto 'stp'
Two slashes with another protocol seems to work:
[root@orbital tmp]# tcpdump -n -vvv ether proto \\arp
tcpdump: listening on eth0
16:10:07.551223 arp who-has 192.168.65.2 tell 192.168.65.10
16:10:07.551351 arp who-has 192.168.65.3 tell 192.168.65.10
16:10:08.544725 arp who-has 192.168.65.2 tell 192.168.65.10
16:10:08.544728 arp who-has 192.168.65.3 tell 192.168.65.10
16:10:09.544721 arp who-has 192.168.65.2 tell 192.168.65.10
16:10:09.544727 arp who-has 192.168.65.3 tell 192.168.65.10
6 packets received by filter
0 packets dropped by kernel
However this _does_ work:
[root@orbital tmp]# tcpdump -n -vvv stp
tcpdump: listening on eth0
16:04:18.343589 802.1d config 8000.00:05:32:a3:9b:46.8026 root
8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15
16:04:20.346351 802.1d config 8000.00:05:32:a3:9b:46.8026 root
8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15
16:04:22.349545 802.1d config 8000.00:05:32:a3:9b:46.8026 root
8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15
3 packets received by filter
0 packets dropped by kernel
Is the man page out of date for the actual filter syntax ? And why do I
need two slashes ? Any insight would be appreciated. Thanks.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151. This is the serial number, of our orbital gun."
|
Similar Threads
Linear Mode
