Re: does "port 25" work?

["U. George" <netbeans () gatworks com>]

Guy Harris wrote:
> On Jul 31, 2008, at 11:29 AM, U. George wrote:
>
> > if i say this:
> >     tcpdump  -n -v -i eth1
> >
> > i get a log of: ether type * and port *, ie the PPPoE data.
>
> What you get is a log of "*", i.e. all data.  "port *" is irrelevant;
Not so. The log of "*" is the sum of all the "*"'s. which "port *" is a 
part of. Optimization suggests that all "*"'s are true, and need not be 
tested.
> not all packets that would match "ether type *" *HAVE* a port number.
Not terribly relevant. expression will always be false ( ie port domain 
will never match anything from those ethertypes ) .
> > If i say
> >     tcpdump  -n -v -i eth1 port domain
> >
> > i get a filter of ether (type UDP or TCP) and port domain, and no 
> > PPPoE data
>
> "port domain" is equivalent to "tcp port domain or udp port domain", 
> which is equivalent to "(tcp or udp) and "(tcp port domain or udp port 
> domain)", which is equivalent to "ip and (tcp or udp) and (tcp port 
> domain or udp port domain)".
>
> For better or worse, "ip" on Ethernet is equivalent to "ether type ip", 
> so "port domain" is equivalent to
>
>     "ether type ip and (tcp or udp) and (tcp port domain or udp port 
> domain)".
Without a detailed study, on my part, I am unable to jump to that 
conclusion. Specifying port does not necessarily also specify ether type 
( or anything else ).
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.