Re: I've a question about capture result, please

[Benimaur Gao <benimaur () gmail com>]

yes, I neglected the crucial '-s' parameter...
thank you!

On Fri, Apr 1, 2011 at 1:10 PM, Darren Reed <Darren.Reed () oracle com> wrote:
> Benimaur Gao wrote:
> > Dear all,
> > I tried to capture http traffic by the following command:
> > # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and
> > (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> > (the web application didn't not serve at the conventional 80 port)
> >
> > but different results was given by two hosts:
> >
> > skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003
> > and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> ...
> > # tcpdump -Ani eth0 'host 10.20.141.138 and tcp port 6100 and
> > (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>
>
> Lets examine the last line of each of the above outputs:
>
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> I'm willing to bet that not much interesting data makes it into the first
> 96 bytes of a HTTP packet and that you'll need to use "-s 65535" on
> the second system in order to get reliable output.
>
> Darren
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.