Re: I've a question about capture result, please

[Darren Reed <Darren.Reed () Oracle COM>]

Benimaur Gao wrote:
> Dear all,
> I tried to capture http traffic by the following command:
> # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and
> (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> (the web application didn't not serve at the conventional 80 port)
>
> but different results was given by two hosts:
>
> skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003
> and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
...
> # tcpdump -Ani eth0 'host 10.20.141.138 and tcp port 6100 and
> (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes


Lets examine the last line of each of the above outputs:

listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

I'm willing to bet that not much interesting data makes it into the first
96 bytes of a HTTP packet and that you'll need to use "-s 65535" on
the second system in order to get reliable output.

Darren

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.