--- Guy Harris <[EMAIL PROTECTED]> wrote: > > On Mar 31, 2005, at 7:20 AM, Gabriel wrote: > > > Hello, I tried using tcpdump -xs 1500 -i eth0 > > "tcp[2:2]>=1000 and tcp[2:2]<=2000" but it doesn't > > capture anything. When I tried tcpdump -xs 1500 -i > > eth0 tcp[2:2]=1500 it worked out fine (it captured > > everything with the dst port 1500). I'm using > linux > > with bash as a shell. What am I doing wrong? > > What you're doing wrong might be "assuming that > libpcap is bug-free". > > Does > > tcpdump -O -xs 1500 -i eth0 "tcp[2:2]>=1000 and > tcp[2:2]<=2000" > > work?
Yes, it works when I use the -O option. Thanks. > If so, what do > > tcpdump -d -i eth0 "tcp[2:2]>=1000 and > tcp[2:2]<=2000" > > and > > > tcpdump -O -d -i eth0 "tcp[2:2]>=1000 and > tcp[2:2]<=2000" > > print? The output of the first one is: --------- [EMAIL PROTECTED]:~> sudo tcpdump -d -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000" (000) ldh [12] (001) jeq #0x800 jt 2 jf 12 (002) ldb [23] (003) jeq #0x6 jt 4 jf 12 (004) ldh [20] (005) jset #0x1fff jt 12 jf 6 (006) ldxb 4*([14]&0xf) (007) ldh [x + 16] (008) ldx #0x3e8 (009) jge x jt 10 jf 12 (010) jgt x jt 12 jf 11 (011) ret #96 (012) ret #0 -------------- the last one: -------- [EMAIL PROTECTED]:~> sudo tcpdump -O -d -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000" (000) ldh [12] (001) jeq #0x800 jt 2 jf 51 (002) ldh [12] (003) jeq #0x86dd jt 4 jf 6 (004) ldb [20] (005) jeq #0x6 jt 10 jf 6 (006) ldh [12] (007) jeq #0x800 jt 8 jf 51 (008) ldb [23] (009) jeq #0x6 jt 10 jf 51 (010) ldh [20] (011) jset #0x1fff jt 51 jf 12 (012) ld #0x2 (013) st M[0] (014) ldxb 4*([14]&0xf) (015) ld M[0] (016) add x (017) tax (018) ldh [x + 14] (019) st M[1] (020) ld #0x3e8 (021) st M[2] (022) ldx M[2] (023) ld M[1] (024) jge x jt 25 jf 51 (025) ldh [12] (026) jeq #0x800 jt 27 jf 51 (027) ldh [12] (028) jeq #0x86dd jt 29 jf 31 (029) ldb [20] (030) jeq #0x6 jt 35 jf 31 (031) ldh [12] (032) jeq #0x800 jt 33 jf 51 (033) ldb [23] (034) jeq #0x6 jt 35 jf 51 (035) ldh [20] (036) jset #0x1fff jt 51 jf 37 (037) ld #0x2 (038) st M[2] (039) ldxb 4*([14]&0xf) (040) ld M[2] (041) add x (042) tax (043) ldh [x + 14] (044) st M[3] (045) ld #0x7d0 (046) st M[4] (047) ldx M[4] (048) ld M[3] (049) jgt x jt 51 jf 50 (050) ret #96 (051) ret #0 -------- (I hope the paste will look ok...) I'm using libcap 0.8.3 which is the latest version afaik. Don't know if it's bug-free though. Thanks for your answer. > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
