Hi I have a little problem with this tcpdump.
I have to understand how many messages are sent by netspyd when a user logged in to shakti.

I saw that 7 times an user logs into shakti but there are 8 packets on tcpdump.. how can know the number of messages sent by netspyd?

[guest@shakti guest]$ sudo tcpdump ip multicast
Password:
tcpdump: listening on eth0
20:49:19.807880 shakti.1501 > 224.111.111.111.1500: udp 38 (DF) [ttl 1]
20:49:25.827881 shakti.1501 > 224.111.111.111.1500: udp 38 (DF) [ttl 1]
20:49:43.887880 shakti.1501 > 224.111.111.111.1500: udp 41 (DF) [ttl 1]
20:50:01.947882 shakti.1501 > 224.111.111.111.1500: udp 41 (DF) [ttl 1]
20:50:07.967764 shakti.1501 > 224.111.111.111.1500: udp 38 (DF) [ttl 1]
20:50:20.007885 shakti.1501 > 224.111.111.111.1500: udp 38 (DF) [ttl 1]
20:50:26.027772 shakti.1501 > 224.111.111.111.1500: udp 41 (DF) [ttl 1]
20:50:38.067903 shakti.1501 > 224.111.111.111.1500: udp 41 (DF) [ttl 1]

8 packets received by filter
0 packets dropped by kernel

[guest@shakti guest]$ netspyd 224.111.111.111 1500 1
netspyd started :
[local address : shakti:1501]
[multicast group : 224.111.111.111:1500]

== : guest logged on to shakti at 07:50 PM, pid=3472
== : guest logged on to shakti at 08:44 PM, pid=4026
== : guest logged on to shakti at 08:46 PM, pid=4026
== : guest logged on to shakti at 08:49 PM, pid=4114
== : guest logged on to shakti at 08:49 PM, pid=4116
== : guest logged out from shakti at 08:49 PM, pid=4114
== : guest logged out from shakti at 08:49 PM, pid=4116
== : guest logged on to shakti at 08:50 PM, pid=4187
== : guest logged on to shakti at 08:50 PM, pid=4224
== : guest logged out from shakti at 08:50 PM, pid=4224

Try to write the raw packets to a file with -w and open it with Wireshark for more details.

It appears that his may be a homework assignment. We have a policy against doing other peoples homework. We can help you with particular questions, if the details indicate that you have done your homework, and you have a particular question.

The "last" command would be a better method of determining how many times a user logged in in the past.

Also, the IP address being used is in the Multicasting address space. Please provide more information on what you are doing. Port 1500 indicates "VLSI License Manager".