tcpdump mailing list archives

Re: Sniffing inbound ethernet frames only

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Sun, 22 Oct 2006 01:51:59 +0000

On 2006-10-20 16:24, Jost-DVSB () t-online de wrote:

I have a Linux box with two Fast Ethernet interfaces.
In two separate windows on the desktop I want to see
all inbound ethernet frames (from the wire), but not
the ethernet frames coming down the local network stack.
In the left window tcpdump should run to catch all
incoming ethernet frames from interface eth0.
In the right window tcpdump should run to catch all
incoming ethernet frames from interface eth1.
All outgoing ethernet frames must not be displayed.
Both tcpdump processes must run in parallel.

The keyword inbound cannot be used with link level.
Which tcpdump expression solves the problem?


Have you tried

left window: not ether src mac:addr:of:eth0
right window: not ether src mac:addr:of:eth1

?

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Sniffing inbound ethernet frames only Jost-DVSB (Oct 21)
- Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 21)
  - Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
    - Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 23)
    - why not filtering at driver level ? madhuresh (Oct 23)
    - Re: why not filtering at driver level ? Guy Harris (Oct 23)
    - Re: why not filtering at driver level ? madhuresh (Oct 23)
    - Re: why not filtering at driver level ? Guy Harris (Oct 23)
    - Re: why not filtering at driver level ? madhuresh (Oct 23)
    - Re: why not filtering at driver level ? Guy Harris (Oct 23)
    - Re: why not filtering at driver level ? Guy Harris (Oct 23)
    - Re: why not filtering at driver level ? Jefferson Ogata (Oct 23)

(Thread continues...)