tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Any way to filter ether address when type is LINUX_SLL?

From: Edouard Gaulué via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 19 Jan 2021 16:44:36 +0100
--- Begin Message --- From: Edouard Gaulué <listes () e-gaulue com>
Date: Tue, 19 Jan 2021 16:44:36 +0100
For posterity, I did:

ncat -l 12345 | tshark -r - -w - sll > w

where w is named pipe.

Instead of: ncat -l 12345 | tcpdump -r - -w - [pcap_filter] > w

Your answer leads me to this solution, I needed an upper-level tool.

Regards,

Le 19/01/2021 à 15:45, Michael Richardson a écrit :

Edouard Gaulué <listes () e-gaulue com> wrote:
     > And is there any way to filter by link-type? In fact, I need only those
     > LINUX_SLL.

pcap format can only contain a single link-type, so that's a no-op.
pcapng could contain multiple link-types, but tcpdump doesn't write that.

While wireshark can write pcapng, I don't think it writes multiple link types
to a single file, but of course, you could have concatenated multiple pcapng
files.

I'm not sure what tcpdump would do if it sees that :-)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: