RE: tcpdump filter question

["Bradley, Paul" <paulb () cta com>]

Duh!  Maybe i need to go home ;-)  You're right...the packets in question
were UDP; therefore, my filter of:

tcp[2:2] = 69

would yield nothing.

the "dst port 69" filter yeilded output because it didn't take into account
any specific protocol.

thanks,

Paul

-----Original Message-----
From: Gray . Brendan [mailto:bgray2 () drc com] 
Sent: Thursday, November 21, 2002 10:55 AM
To: 'Bradley, Paul'
Subject: RE: [Snort-users] tcpdump filter question


tftp is udp, would tcpdump still work with it?  Just a thought, I don't know
tcpdump that well.

Brendan Gray



-----Original Message-----
From: Bradley, Paul [mailto:paulb () cta com]
Sent: Thursday, November 21, 2002 12:02 PM
To: (snort-users () lists sourceforge net)
Subject: [Snort-users] tcpdump filter question


Using snort 1.9.0.

scenario:  logging packet data to a binary file with snort.  i want to go in
and investigate some tftp activity.  i usually use tcpdump (3.6) to read the
packets.  this works:

tcpdump -vvv -n -nn -r packet_file dst port 69

result = all the packets destined to tftp

this doesn't work:

tcpdump -vvv -n -nn -r packet_file 'tcp[2:2] = 69'

result = nothing (no output)

When using tcpdump filters on a binary file created by snort, the built-in
tcpdump macro filters work; however, the other style of filters don't.  does
this have something to do with the way snort creates the binary file?  i'd
like the 2nd style of the filters to work, as i can customize my packet
queries.

thanks,

paul




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users