Re: does "port 25" work?

[Guy Harris <guy () alum mit edu>]

On Jul 31, 2008, at 11:29 AM, U. George wrote:

> if i say this:
>         tcpdump  -n -v -i eth1
>
> i get a log of: ether type * and port *, ie the PPPoE data.

What you get is a log of "*", i.e. all data.  "port *" is irrelevant;  
not all packets that would match "ether type *" *HAVE* a port number.

> If i say
>         tcpdump  -n -v -i eth1 port domain
>
> i get a filter of ether (type UDP or TCP) and port domain, and no  
> PPPoE data

"port domain" is equivalent to "tcp port domain or udp port domain",  
which is equivalent to "(tcp or udp) and "(tcp port domain or udp port  
domain)", which is equivalent to "ip and (tcp or udp) and (tcp port  
domain or udp port domain)".

For better or worse, "ip" on Ethernet is equivalent to "ether type  
ip", so "port domain" is equivalent to

	"ether type ip and (tcp or udp) and (tcp port domain or udp port  
domain)".

For better or worse, "ip" doesn't check for every single possible type  
of IP traffic you could have on an Ethernet; it doesn't check for raw  
IP-over-Ethernet and IP-over-PPPoE-over-Ethernet and IP-over-VLAN-over- 
Ethernet and....  Were it to do so, the filter would be more  
complicated, meaning more CPU time for filtering, and the current code  
for compiling filters into BPF code might need some significant changes.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.