tcpdump filter syntax issue

Discussion in 'Linux Networking' started by vom, Jul 31, 2003.

  1. vom

    vom Guest

    Perhaps not a linux specific issue, but I thought I'd start here.

    According to the tcpdump man page:

    ether proto protocol

    True if the packet is of ether type protocol. Protocol
    can be a number or one of the names ip, ip6, arp, rarp,
    atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp,
    ipx, or netbeui. Note these identifiers are also key-
    words and must be escaped via backslash (\).

    So according to that, this should work:

    [[email protected] tmp]# tcpdump -n -vvv ether proto \stp
    tcpdump: parse error

    Two slashes gets me a higher level error:

    [[email protected] tmp]# tcpdump -n -vvv ether proto \\stp
    tcpdump: unknown ether proto 'stp'

    Two slashes with another protocol seems to work:

    [[email protected] tmp]# tcpdump -n -vvv ether proto \\arp
    tcpdump: listening on eth0
    16:10:07.551223 arp who-has 192.168.65.2 tell 192.168.65.10
    16:10:07.551351 arp who-has 192.168.65.3 tell 192.168.65.10
    16:10:08.544725 arp who-has 192.168.65.2 tell 192.168.65.10
    16:10:08.544728 arp who-has 192.168.65.3 tell 192.168.65.10
    16:10:09.544721 arp who-has 192.168.65.2 tell 192.168.65.10
    16:10:09.544727 arp who-has 192.168.65.3 tell 192.168.65.10

    6 packets received by filter
    0 packets dropped by kernel

    However this _does_ work:

    [[email protected] tmp]# tcpdump -n -vvv stp
    tcpdump: listening on eth0
    16:04:18.343589 802.1d config 8000.00:05:32:a3:9b:46.8026 root
    8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15
    16:04:20.346351 802.1d config 8000.00:05:32:a3:9b:46.8026 root
    8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15
    16:04:22.349545 802.1d config 8000.00:05:32:a3:9b:46.8026 root
    8000.00:05:32:a3:9b:46 pathcost 0 age 0 max 20 hello 2 fdelay 15

    3 packets received by filter
    0 packets dropped by kernel

    Is the man page out of date for the actual filter syntax ? And why do I
    need two slashes ? Any insight would be appreciated. Thanks.
     
    vom, Jul 31, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.