[plug] tcpdump or tethereal parameters
Luke Dudney
ldlist at westnet.com.au
Tue May 25 15:56:54 WST 2004
In tcpdump, I don't think there's actually any specific filter options
that will let you do this. However, the filters _will_ let you delve
into the data inside a packet. So you can look at the source and
destination port fields of the TCP header, and evaluate that. These
fields are both two bytes long and sit at byte offset 0 and 2,
respectively. You'll need to do some hex conversions and bit masking
If you're interested in ports greater than 4096,
4096 decimal = 0x1000
Source port greater than 4096:
# tcpdump -s0 -n 'tcp[0:2] & 0xffff > 0x1000'
Destination port greater than 4096:
# tcpdump -s0 -n 'tcp[2:2] & 0xffff > 0x1000'
Either source or destination port greater than 4096:
# tcpdump -s0 -n '(tcp[0:2] & 0xffff > 0x1000) or (tcp[2:2] & 0xffff >
0x1000)'
Cheers
Luke
Jon Miller wrote:
>Like to know if there is a way to have either tcpdump or tethereal display ports greater than a certain number instead of putting in each port separately?
>
>Thanks
>
>
>
>Jon L. Miller, MCNE, CNS, ASE
>Director/Sr Systems Consultant
>MMT Networks Pty Ltd
>http://www.mmtnetworks.com.au
>
>"I don't know the key to success, but the key to failure
> is trying to please everybody." -Bill Cosby
>
>
>------------------------------------------------------------------------
>
More information about the plug
mailing list