Snort mailing list archives
Re: tcpdump filtered for multiple hosts
From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 22 Oct 2005 06:55:12 -0400
Court Graham wrote:
Does anyone know the syntax to screen for multiple hosts using tcpdump tcpdump - w filename host ip(this is where i need more than one host) ???
Remember that using 'and' for a BPF primitive means the packet needs to have both IPs. You probably want to use 'or', e.g., tcpdump -n -i fxp0 -s 1515 host 64.233.167.147 or 68.142.226.42 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 1515 bytes 06:53:05.552531 IP 192.168.2.5 > 64.233.167.147: icmp 64: echo request seq 0 06:53:05.588292 IP 64.233.167.147 > 192.168.2.5: icmp 64: echo reply seq 0 06:53:18.905750 IP 192.168.2.5 > 68.142.226.42: icmp 64: echo request seq 0 06:53:18.920278 IP 68.142.226.42 > 192.168.2.5: icmp 64: echo reply seq 0 That sees ICMP to Google or Yahoo, not Google and Yahoo. Sincerely, Richard http://www.taosecurity.com ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump filtered for multiple hosts Court Graham (Oct 21)
- RE: tcpdump filtered for multiple hosts Patrick Harper (Oct 21)
- Re: tcpdump filtered for multiple hosts Harry Hoffman (Oct 21)
- <Possible follow-ups>
- Re: tcpdump filtered for multiple hosts Richard Bejtlich (Oct 22)
- RE: tcpdump filtered for multiple hosts Patrick Harper (Oct 21)