tcpdump mailing list archives
Re: does "port 25" work?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 31 Jul 2008 10:42:57 -0700
On Jul 31, 2008, at 5:52 AM, U. George wrote:
BUT if i remove the 'port domain' i see all the packets:[root@laptopserver gat]# /usr/sbin/tcpdump -v -n -i eth1 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 08:49:38.834343 PPPoE [ses 0xea20] [length 48 (4 extra bytes)] IP (tos 0x0, ttl 236, id 50854, offset 0, flags [DF], proto 6, length: 44) 59.151.50.248.45573 > 71.247.232.63.domain: S [tcp sum ok] 1445792188:1445792188(0) win 8190 <mss 1460>
You're capturing on an Ethernet that's carrying PPPoE traffic.The filter "port domain" will capture packets that have an Ethernet type of 0x0800 (IPv4), an IP packet type of UDP or TCP, and a UDP or TCP port number of 25.
It will not capture *ANY* PPPoE traffic, as it has a different Ethernet type.
If the DNS requests are on PPPoE, then, at least with a sufficiently recent version of libpcap, the filter
pppoes and port domain
should capture them. If you want to capture non-PPPoE DNS requests as
well, try
port domain or (pppoes and port domain)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? Guy Harris (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? Guy Harris (Jul 31)
- Re: does "port 25" work? Guy Harris (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? Stephen Donnelly (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? Stephen Donnelly (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)
- Re: does "port 25" work? Guy Harris (Jul 31)
- Re: does "port 25" work? Guy Harris (Jul 31)
- Re: does "port 25" work? U. George (Jul 31)