On 2010-05-25, Daniel Bareiro <[email protected]> wrote: > > I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the > following: > > # tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \ > -i eht0 -w eavesdropping_ulaw.dump
you can do something like # tcpdump -vvv -n -s 1500 'udp and port 5060 or (udp[0:2] >= 10000 and udp[0:2] <= 20000) or (udp[2:2] >= 10000 and udp[2:2] <= 20000)' if interested in how this works, look at the udp header format. http://www.rhyshaden.com/udp.htm > In this case, the interface is em0, but I see that with this tcpdump > version there is no parameter 'portrange'. I'm using a version compiled > with the source code obtained by anoncvs, because I wanted to install > with pkg_add but was not available. I tried as follows, but without > success: tcpdump from OpenBSD base is quite different from the tcpdump.org version. notably it has privilege separation. you do *not* want to run the dissectors as root. (if you must use their code, capture and write to a file, then run the dissectors on the file *as an unprivileged user*). > # tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \ >> -i em0 -w eavesdropping_ulaw.dump > tcpdump: syntax error here, you are mixing up options with your filter. it certainly won't work with our version, I'd be surprised if it works with theirs.
