tcpdump mailing list archives
Re: Can I excude a protocol?
From: Guy Harris <guy () alum mit edu>
Date: Sun, 31 Oct 2004 17:19:03 -0800
Pete Wilson wrote:
I'm a new user of tcpdump, so please forgive these few amateur questions. 1. I need to look at SNMP traffic, so I issue: node2:/root#tcpdump udp host node1 or node2 or node3 tcpdump: 'udp' modifier applied to host
UDP doesn't know about "hosts" - that's IP's responsibility. UDP only knows about ports.
If you want to see all traffic to or from particular hosts, use "ip host node1 or node2 or node3".
If you want to see all *UDP* traffic to and from particular hosts, use "(ip host node1 or node2 or node3) and udp".
If you want to see all UDP traffic to and from particular hosts *on a particular UDP port*, use "(ip host node1 or node2 or node3) and udp port N". If you want, for example, UDP traffic to or from port 161, do "(ip host node1 or node2 or node3) and udp port 161" - but, in that case, you can probably say "udp port snmp" rather than "udp port 161".
If you want traffic to or from two particular ports, use "(ip host node1 or node2 or node3) and (udp port port1 or port2)" - which can probably be "udp port snmp or udp port snmptrap" if you want ports 161 and 162.
2. I want to exclude certain protocols, like TCP. Is there any way to do it? I note that host takes logical operations. Anything like that for proto?
"(ip host node1 or node2 or node3) and not tcp"although do you want to exclude TCP or exclude everything but UDP (or exclude everything but port-161 and port-162 UDP traffic)?
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Can I excude a protocol? Pete Wilson (Oct 31)
- Re: Can I excude a protocol? Guy Harris (Oct 31)
- Re: Can I excude a protocol? Pete Wilson (Oct 31)
- Re: Can I excude a protocol? Guy Harris (Nov 01)
- Re: Can I excude a protocol? Pete Wilson (Oct 31)
- Re: Can I excude a protocol? Guy Harris (Oct 31)