[plug] tcpdump or tethereal parameters

[Jon Miller]

Thanks Luke, again much appreciated.

Jon

Jon L. Miller, MCNE, CNS, ASE
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby



>>> ldlist at westnet.com.au 3:56:54 pm 25/05/2004 >>>
In tcpdump, I don't think there's actually any specific filter options 
that will let you do this. However, the filters _will_ let you delve 
into the data inside a packet. So you can look at the source and 
destination port fields of the TCP header, and evaluate that. These 
fields are both two bytes long and sit at byte offset 0 and 2, 
respectively. You'll need to do some hex conversions and bit masking

If you're interested in ports greater than 4096,
4096 decimal = 0x1000

Source port greater than 4096:
# tcpdump -s0 -n 'tcp[0:2] & 0xffff > 0x1000'

Destination port greater than 4096:
# tcpdump -s0 -n 'tcp[2:2] & 0xffff > 0x1000'

Either source or destination port greater than 4096:
# tcpdump -s0 -n '(tcp[0:2] & 0xffff > 0x1000) or (tcp[2:2] & 0xffff > 
0x1000)'

Cheers
Luke


Jon Miller wrote:

>Like to know if there is a way to have either tcpdump or tethereal display ports greater than a certain number instead of putting in each port separately?
>
>Thanks
>
>
>
>Jon L. Miller, MCNE, CNS, ASE
>Director/Sr Systems Consultant
>MMT Networks Pty Ltd
>http://www.mmtnetworks.com.au
>
>"I don't know the key to success, but the key to failure
> is trying to please everybody." -Bill Cosby
>  
>
>------------------------------------------------------------------------
>

_______________________________________________
PLUG discussion list: plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20040525/7a44229d/attachment.htm>