Re: does "port 25" work?

["U. George" <netbeans () gatworks com>]

Guy Harris wrote:
> On Jul 31, 2008, at 5:52 AM, U. George wrote:
>
> > BUT if i remove the 'port domain' i see all the packets:
> >
> > > [root@laptopserver gat]# /usr/sbin/tcpdump  -v -n -i eth1 tcpdump: 
> > > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> > > 08:49:38.834343 PPPoE  [ses 0xea20] [length 48 (4 extra bytes)] IP 
> > > (tos 0x0, ttl 236, id 50854, offset 0, flags [DF], proto 6, length: 
> > > 44) 59.151.50.248.45573 > 71.247.232.63.domain: S [tcp sum ok] 
> > > 1445792188:1445792188(0) win 8190 <mss 1460>
>
> You're capturing on an Ethernet that's carrying PPPoE traffic.
>
> The filter "port domain" will capture packets that have an Ethernet type 
> of 0x0800 (IPv4), an IP packet type of UDP or TCP, and a UDP or TCP port 
> number of 25.
>
> It will not capture *ANY* PPPoE traffic, as it has a different Ethernet 
> type.
>
> If the DNS requests are on PPPoE, then, at least with a sufficiently 
> recent version of libpcap, the filter
>
>     pppoes and port domain
>
> should capture them.  If you want to capture non-PPPoE DNS requests as 
> well, try
>
>     port domain or (pppoes and port domain)
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks for the reply,
BUT
why does adding the "PORT" conditional also modify the wild-card aspects 
of "ethernet type"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.