-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Stuart.
On Tuesday, May 25, 2010, Stuart Henderson wrote: >> I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the >> following: >> >> # tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \ >> -i eht0 -w eavesdropping_ulaw.dump > you can do something like > > # tcpdump -vvv -n -s 1500 'udp and port 5060 or (udp[0:2] >= 10000 and > udp[0:2] <= 20000) or (udp[2:2] >= 10000 and udp[2:2] <= 20000)' > if interested in how this works, look at the udp header format. > http://www.rhyshaden.com/udp.htm Perfect! This really worked for me :) >> In this case, the interface is em0, but I see that with this tcpdump >> version there is no parameter 'portrange'. I'm using a version >> compiled with the source code obtained by anoncvs, because I wanted >> to install with pkg_add but was not available. I tried as follows, >> but without success: > tcpdump from OpenBSD base is quite different from the tcpdump.org version. > notably it has privilege separation. you do *not* want to run the dissectors > as root. (if you must use their code, capture and write to a file, then > run the dissectors on the file *as an unprivileged user*). Thanks for pointing out these differences. >> # tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \ >>> -i em0 -w eavesdropping_ulaw.dump >> tcpdump: syntax error > here, you are mixing up options with your filter. it certainly won't work > with our version, I'd be surprised if it works with theirs. Well, now that I've tested, it does not work. But using the syntax of your example, works on both OpenBSD and GNU / Linux Thank you very much for your answer. Regards, Daniel iEYEARECAAYFAkv8IxYACgkQZpa/GxTmHTc4vwCgi2TF9KT4O4szHb5JI4v9eCT2 HC8An1NC9Ai7lqklDgTz6Di4kzvPMLlR =JWSs -----END PGP SIGNATURE-----
