LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-04-2017, 03:53 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 11
Post A question about "tcpdump".


Hello.
I like to monitor all incoming connections to my IP on port 445 and 139, But I like to capture both TCP and UDP protocols. I did below command but got an error:
Code:
$ sudo tcpdump -i eth1 tcp and udp and dst host My IP and port 445 and 139
tcpdump: expression rejects all packets
Thank you.

Last edited by hack3rcon; 09-04-2017 at 04:01 AM.
 
Old 09-04-2017, 04:15 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,219
Blog Entries: 3

Rep: Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705
Remember the correct precedence for each operation. Logical AND and OR are not the same.

Code:
sudo tcpdump -i eth1 tcp and udp and dst host MyIP and \( port 445 or port 139 \)
Besides, a packet cannot be on both port 445 and port 139 at the same time.

Edit: see post #3 below

Last edited by Turbocapitalist; 09-04-2017 at 08:54 AM.
 
Old 09-04-2017, 07:34 AM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Remember the correct precedence for each operation. Logical AND and OR are not the same.

Code:
sudo tcpdump -i eth1 tcp and udp and dst host MyIP and \( port 445 or port 139 \)
Besides, a packet cannot be on both port 445 and port 139 at the same time.
Nor can it simultaneously be both a TCP and a UDP packet. How about:
Code:
sudo tcpdump -i eth1 dst host MyIP and \( tcp or udp \) and  \( port 445 or port 139 \)
 
Old 09-06-2017, 02:10 AM   #4
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by Ser Olmy View Post
Nor can it simultaneously be both a TCP and a UDP packet. How about:
Code:
sudo tcpdump -i eth1 dst host MyIP and \( tcp or udp \) and  \( port 445 or port 139 \)
Thank you, But how about protocols? A port can use both protocols.
 
Old 09-06-2017, 03:44 AM   #5
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,563

Rep: Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255
What is your problem with that tcpdump command:
protocol can be either tcp or udp, port can be either 445 or 139.
 
Old 09-06-2017, 07:50 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by hack3rcon View Post
Thank you, But how about protocols? A port can use both protocols.
It's the other way around: both protocols use ports, but that's about the extent of the similarities between TCP and UDP.

TCP and UDP are different sockets. An application may decide to use either or both, but they produce/require different packets. A packet cannot be both TCP or UDP, in the same way that it can't have two destination addresses.
 
Old 09-12-2017, 02:53 AM   #7
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by pan64 View Post
What is your problem with that tcpdump command:
protocol can be either tcp or udp, port can be either 445 or 139.
For example, In Windows OS the SMB use:
  • Directly over TCP, port 445;
  • Via the NetBIOS API, which in turn can run on several transports: On UDP ports 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP); On several legacy protocols such as NBF, IPX/SPX.
 
Old 09-12-2017, 03:36 AM   #8
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,563

Rep: Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255Reputation: 7255
Still don't understand what do you need
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
persistent tcpdump "truncated-ip6 - 8 bytes missing!" & low IPv6 performance psycroptic Linux - Networking 19 06-17-2015 03:09 AM
tcpdump script to parse "packers captured" details lazer00 Linux - Networking 12 10-21-2011 12:02 PM
newbie question: whats the difference between "su root", "su" and "su -&quo mojarron Slackware 9 12-07-2009 05:08 PM
Windows equivalents for "tcpdump" or "whois"? zahadumy General 12 06-23-2006 04:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration