Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When I hook up to the monitoring port on the HP Procurve switch and run tcpdump, I can see all the traffic. BUT, if I filter (ex: tcpdump -n tcp) nothing shows up at all. No arp, no ip, no tcp....
Have hooked this same box up to a hub and had no problems at all with filtering the packets. Does anyone know what is causing the packets not to filter when hooked up to the switch & know how to get this to work?
The tcpdump command you posted should just print tcp based packets. Since its not, then I would think the packets being sent out the monitoring port are probably still tagged or encapsulated (like dot1q vlan trunks, qos, etc...). If thats the case, then you will probably have to add a tcpdump offset into the captured frame to get at the protocol header to properly filter when using the monitoring port.
BTW: tcpdump supports specifying vlan ID's as a command line argument. Check the tcpdump man page.
I have a similar problem the difference being that I'm running tcpdump on a linux router. I'm trying to capture tcp packets that have the destination port in a specific range. I've read the manual and searched the net and this came up. So i tried
Code:
tcpdump -xs 1500 -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000"
but it didn't capture anything (i sent packets with the destination port in the specified range, so it should have captured them). On the other hand,
Code:
tcpdump -xs 1500 -i eth0 tcp[2:2]=1000
works (it captures packets with dst port = 1000). I can't figure it out. What am I doing wrong here?
if I filter (ex: tcpdump -n tcp) nothing shows up at all. No arp, no ip, no tcp...
This is normal. ARP is a layer-2 protocol. You won't see if you filter TCP traffic. Most of the traffic you see by typing only
Code:
tcpdump
is layer-2 traffic.
TCP is a layer-4 protocol, so If you wanna see something when you filter the TCP traffic, try generating some traffic using a one of the TCP protocol (HTTP, FTP, telnet, SSH, ...)
Then you will see sth
Regarding my problem, I've been told to use the -O option so the packet-matching code optimizer won't be run. The syntax that does what I want would look something like this:
Code:
tcpdump -O -xs 1500 -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
