Re: Newbie user question: Getting packets from

[Guy Harris <guy () alum mit edu>]

(blah blah blah wrong from address blah blah blah duplicate message 
dissector blah blah blah time to see whether I can configure Thunderbird 
to automatically set the from address for tcpdump-workers messages blah 
blah blah)

KEVIN ZEMBOWER wrote:

> www:~# tcpdump src host centernet.jhuccp.org and ip proto \\tcp or \\udp

The tcpdump man page says:

    Primitives may be combined using:

        A parenthesized group of primitives and operators (paren-
        theses are special to the Shell and must be escaped).

        Negation (`!' or `not').

        Concatenation (`&&' or `and').

        Alternation (`||' or `or').

    Negation  has highest precedence.  Alternation and concatenation
    have equal precedence and associate left to  right.   Note  that
    explicit  and  tokens,  not  juxtaposition, are now required for
    concatenation.

That perhaps doesn't state it as clearly as it could, but it means that
"and" has higher precedence than "or", which means that

        src host centernet.jhuccp.org and ip proto \\tcp or \\udp

means

        (src host centernet.jhuccp.org and ip proto \\tcp) or \\udp

which means that it matches packets that are either

        TCP packets from host centernet.jhuccp.org

or

        UDP packets

which means you'll see UDP packets regardless of whether they're from
host centernet.jhuccp.org or not - which is why you're seeing those DNS
packets.

Try

        src host centernet.jhuccp.org and (ip proto \\tcp or \\udp)

instead.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.