From owner-freebsd-hackers@FreeBSD.ORG Sun Jan 4 23:36:27 2009 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03BFC106564A; Sun, 4 Jan 2009 23:36:27 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id 58E0E8FC0C; Sun, 4 Jan 2009 23:36:26 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from inchoate.gsoft.com.au (Inchoate.gsoft.com.au [203.31.81.30]) (authenticated bits=0) by cain.gsoft.com.au (8.13.8/8.13.8) with ESMTP id n04NO3WN091563 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Jan 2009 09:54:04 +1030 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: freebsd-hackers@freebsd.org Date: Mon, 5 Jan 2009 09:54:00 +1030 User-Agent: KMail/1.9.10 References: <179479624.20090104160500@yandex.ru> <20090104155638.GA76773@svzserv.kemerovo.su> In-Reply-To: <20090104155638.GA76773@svzserv.kemerovo.su> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7560732.2q0FUUBk8o"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200901050954.02759.doconnor@gsoft.com.au> X-Spam-Score: -3.977 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 203.31.81.10 Cc: KES , hackers@freebsd.org, Eugene Grosbein Subject: Re: tcpdump filter for out/in traffic X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2009 23:36:27 -0000 --nextPart7560732.2q0FUUBk8o Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 05 January 2009 02:26:38 Eugene Grosbein wrote: > On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote: > > There will be very usefull to have options for tcpdump to monitor > > incomint or outgoing traffic regardless of src/dst IPs or ports or > > protocol > > > > For example: > > > > kes# tcpdump -n -i rl4 out > > EXPECTED: show traffic outgoing on rl4 > > ACTUAL: tcpdump: syntax error > > > > kes# tcpdump -n -i rl4 in > > EXPECTED: show traffic incoming on rl4 > > ACTUAL: tcpdump: syntax error > > Hi! > > I use following trick for that: > > tcpdump -n -p -i rl4 ether src me-rl4 # for outgoing > tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming > > And add MAC-address of rl4 to /etc/ethers with name 'me-rl4' > or just 'me' if you need not watch other interfaces this way. I think it's more a question for the tcpdump maintainers. Also, in & out don't necessarily mean traffic from your MAC address or the= =20 inverse. eg if you are running a bridge then in & out will mean something=20 different. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart7560732.2q0FUUBk8o Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBJYUUS5ZPcIHs/zowRAn1pAJ9zj2/jSuRjWMQqV/UbsZovqF9DCQCcC9yi WdSZL4c4WbeZGZRTc+7kP6s= =7vUT -----END PGP SIGNATURE----- --nextPart7560732.2q0FUUBk8o--