FreeBSD Mail Archives

Date:      Fri, 23 Jun 2000 21:25:59 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        freebsd-questions@freebsd.org
Subject:   tcpdump(8) Strangeness
Message-ID:  <20000623212558.G481@dialin-client.earthlink.net>

next in thread | raw e-mail | index | archive | help

OK, I wanted to keep an eye on traffic coming and going from my
notebook. I was planning on using the web while I collected data, and
since that was expected data that would just spam up the logs, I
thought I would drop it. Well, tcpdump(8) is acting strange. The
manpage says,

              port [port]
                     True if either  the  source  or  destination
                     port  of  the  packet  is  [port].

However, after things acted strange I tried two commands,

  # tcpdump '! port 80'
  # tcpdump 'port 80'

And I got curious results (both snipped after 10 packets),

  # tcpdump '! port 80'
  21:12:31.798417 204.71.201.166.http > 209.179.253.198.1090: S 3625884681:3625884681(0) ack 1541153420 win 17520 <mss 1460> (DF)
  21:12:32.489061 204.71.201.166.http > 209.179.253.198.1090: . 1:1461(1460) ack 368 win 17520 (DF)
  21:12:32.878815 204.71.201.166.http > 209.179.253.198.1090: . 1461:2921(1460) ack 368 win 17520 (DF)
  21:12:33.008944 204.71.201.166.http > 209.179.253.198.1090: FP 4381:4757(376) ack 368 win 17520 (DF)
  21:12:33.618923 204.71.201.166.http > 209.179.253.198.1090: . 2921:4381(1460) ack 368 win 17520 (DF)
  21:12:33.638862 204.178.123.174.http > 209.179.253.198.1089: R 3717182891:3717182891(0) win 0
  21:12:33.639305 204.178.123.174.http > 209.179.253.198.1089: R 3717182891:3717182891(0) win 0
  21:12:33.648495 204.178.123.174.http > 209.179.253.198.1091: S 3762683078:3762683078(0) ack 1541446130 win 32120 <mss 1460> (DF)
  21:12:34.108394 204.71.201.166.http > 209.179.253.198.1090: . ack 369 win 17520 (DF)
  21:12:34.298451 204.178.123.174.http > 209.179.253.198.1091: . ack 458 win 31663 (DF)

# tcpdump 'port 80'
  21:12:31.618606 209.179.253.198.1090 > 204.71.201.166.http: S 1541153419:1541153419(0) win 16384 <mss 1460> (DF)
  21:12:31.798629 209.179.253.198.1090 > 204.71.201.166.http: . ack 3625884682 win 17520 (DF)
  21:12:31.801224 209.179.253.198.1090 > 204.71.201.166.http: P 0:367(367) ack 1 win 17520 (DF)
  21:12:32.587996 209.179.253.198.1090 > 204.71.201.166.http: . ack 1461 win 17520 (DF)
  21:12:32.699875 209.179.253.198.1089 > 204.178.123.174.http: P 1534229874:1534230331(457) ack 3717182891 win 17520 (DF)
  21:12:32.702677 209.179.253.198.1089 > 204.178.123.174.http: F 457:457(0) ack 1 win 17520 (DF)
  21:12:32.704803 209.179.253.198.1091 > 204.178.123.174.http: S 1541446129:1541446129(0) win 16384 <mss 1460> (DF)
  21:12:32.978003 209.179.253.198.1090 > 204.71.201.166.http: . ack 2921 win 17520 (DF)
  21:12:33.009121 209.179.253.198.1090 > 204.71.201.166.http: . ack 2921 win 17520 (DF)
  21:12:33.619149 209.179.253.198.1090 > 204.71.201.166.http: . ack 4758 win 15684 (DF)

It looks as if tcpdump(8) cannot evaluate the port of the source
packet. In fact, if I run,

  # tcpdump 'src port 80'

I get complete silence.

Does tcpdump not like tun0 or ppp?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000623212558.G481>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation