On Dec 18, 2007, at 2:46 AM, Will Barker wrote:
OK - can we go for:
"zero means received, non-zero means sent"
...and 4 bytes long, as per the earlier discussion, or just 1 byte (or
2 bytes)?
Hopefully by "version-specific" you don't mean "specific to the
versions
of libpcap and Wiresh
On Dec 19, 2007, at 11:09 AM, Bill Richardson wrote:
Looking at the one system that works I see it is related to Vlan
tagging:
Is the "test.pcap" file the same file in all three examples?
If so, does the "From ..." at the end of the command indicate the
machine on which you're running tcpd
Looking at the one system that works I see it is related to Vlan
tagging:
tcpdump -r test.pcap -nn host 172.21.89.75 "From BigIp box"
08:05:28.729250 802.1Q vlan#88 P0 172.21.89.75.4000 >
172.21.89.70.45647: . 1555:1569(14) ack 3496 win 202
08:05:28.729258 172.21.89.70.45647 > 172.21.89.75.4000: .
This may not be the right list to ask but thought I would give this a
try. I have looked and looked and have not seen anyone with this
problem.
In the past I have been able to take large inclusive tcpdump files and
read them back in with the -r option using tcpdump and BFP them to a
host or port
