tcpdump mailing list archives
Re: I've a question about capture result, please
From: Benimaur Gao <benimaur () gmail com>
Date: Fri, 1 Apr 2011 15:15:04 +0800
yes, I neglected the crucial '-s' parameter... thank you! On Fri, Apr 1, 2011 at 1:10 PM, Darren Reed <Darren.Reed () oracle com> wrote:
Benimaur Gao wrote:Dear all, I tried to capture http traffic by the following command: # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' (the web application didn't not serve at the conventional 80 port) but different results was given by two hosts: skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes...# tcpdump -Ani eth0 'host 10.20.141.138 and tcp port 6100 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytesLets examine the last line of each of the above outputs: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes I'm willing to bet that not much interesting data makes it into the first 96 bytes of a HTTP packet and that you'll need to use "-s 65535" on the second system in order to get reliable output. Darren - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: I've a question about capture result, please Darren Reed (Apr 01)
- Re: I've a question about capture result, please Benimaur Gao (Apr 01)