Re: does "port 25" work?

[Stephen Donnelly <stephen () endace com>]

On Thu, 2008-07-31 at 23:26 -0400, U. George wrote:
> > The filter "port domain" on an Ethernet interface (on my box) generates
> > a BPF filter that looks for Ethertype 0x86dd for IPv6 OR 0x0800 for
> > IPv4. It doesn't look for PPPoE, VLANs, GRE or anything else, because
> > you didn't specify that in your filter.
> Actually I didnt specify 0x86dd or 0x0800 either. I did specify device 
> eth1 AND i did specify port domain. I dont care for ethertype filtering 
> as it is not germane.
> If PPPoE has port settings, then PPPoE packets should be filtered also. 
> If VLANS, or GRE, or anything else has port designations, then that 
> should be included in the filtering.

I didn't say that you did; I told you what happens when you specify that
filter. That explains the behaviour that you saw, which is expected.

>  From a users point of view, if tcpdump can print the packet with out 
> any ethertype options, then one should also be able to compare/match 
> pieces  of the data stream without the use of or knowledge of ethertype 
> specifics. The only item of significance ( for me ) is "port domain" 
> from the specific interface. From my point of view, ethertype is wild, 
> ip is wild, protocol is wild, and everything else is wild - with the 
> exception of the port designation.
> Its just intuitive.

That may be true, but it isn't the way tcpdump works.

Perhaps you should try Wireshark, you may find its 'display filters'
more user friendly.

http://www.wireshark.org

Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.