From owner-freebsd-questions Fri Jun 23 21:27:48 2000 Delivered-To: freebsd-questions@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 9696237BB21 for ; Fri, 23 Jun 2000 21:27:35 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool1453.cvx20-bradley.dialup.earthlink.net [209.179.255.178]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id VAA01087 for ; Fri, 23 Jun 2000 21:27:28 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id VAA00963 for freebsd-questions@freebsd.org; Fri, 23 Jun 2000 21:26:01 -0700 (PDT) Date: Fri, 23 Jun 2000 21:25:59 -0700 From: "Crist J. Clark" To: freebsd-questions@freebsd.org Subject: tcpdump(8) Strangeness Message-ID: <20000623212558.G481@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG OK, I wanted to keep an eye on traffic coming and going from my notebook. I was planning on using the web while I collected data, and since that was expected data that would just spam up the logs, I thought I would drop it. Well, tcpdump(8) is acting strange. The manpage says, port [port] True if either the source or destination port of the packet is [port]. However, after things acted strange I tried two commands, # tcpdump '! port 80' # tcpdump 'port 80' And I got curious results (both snipped after 10 packets), # tcpdump '! port 80' 21:12:31.798417 204.71.201.166.http > 209.179.253.198.1090: S 3625884681:3625884681(0) ack 1541153420 win 17520 (DF) 21:12:32.489061 204.71.201.166.http > 209.179.253.198.1090: . 1:1461(1460) ack 368 win 17520 (DF) 21:12:32.878815 204.71.201.166.http > 209.179.253.198.1090: . 1461:2921(1460) ack 368 win 17520 (DF) 21:12:33.008944 204.71.201.166.http > 209.179.253.198.1090: FP 4381:4757(376) ack 368 win 17520 (DF) 21:12:33.618923 204.71.201.166.http > 209.179.253.198.1090: . 2921:4381(1460) ack 368 win 17520 (DF) 21:12:33.638862 204.178.123.174.http > 209.179.253.198.1089: R 3717182891:3717182891(0) win 0 21:12:33.639305 204.178.123.174.http > 209.179.253.198.1089: R 3717182891:3717182891(0) win 0 21:12:33.648495 204.178.123.174.http > 209.179.253.198.1091: S 3762683078:3762683078(0) ack 1541446130 win 32120 (DF) 21:12:34.108394 204.71.201.166.http > 209.179.253.198.1090: . ack 369 win 17520 (DF) 21:12:34.298451 204.178.123.174.http > 209.179.253.198.1091: . ack 458 win 31663 (DF) # tcpdump 'port 80' 21:12:31.618606 209.179.253.198.1090 > 204.71.201.166.http: S 1541153419:1541153419(0) win 16384 (DF) 21:12:31.798629 209.179.253.198.1090 > 204.71.201.166.http: . ack 3625884682 win 17520 (DF) 21:12:31.801224 209.179.253.198.1090 > 204.71.201.166.http: P 0:367(367) ack 1 win 17520 (DF) 21:12:32.587996 209.179.253.198.1090 > 204.71.201.166.http: . ack 1461 win 17520 (DF) 21:12:32.699875 209.179.253.198.1089 > 204.178.123.174.http: P 1534229874:1534230331(457) ack 3717182891 win 17520 (DF) 21:12:32.702677 209.179.253.198.1089 > 204.178.123.174.http: F 457:457(0) ack 1 win 17520 (DF) 21:12:32.704803 209.179.253.198.1091 > 204.178.123.174.http: S 1541446129:1541446129(0) win 16384 (DF) 21:12:32.978003 209.179.253.198.1090 > 204.71.201.166.http: . ack 2921 win 17520 (DF) 21:12:33.009121 209.179.253.198.1090 > 204.71.201.166.http: . ack 2921 win 17520 (DF) 21:12:33.619149 209.179.253.198.1090 > 204.71.201.166.http: . ack 4758 win 15684 (DF) It looks as if tcpdump(8) cannot evaluate the port of the source packet. In fact, if I run, # tcpdump 'src port 80' I get complete silence. Does tcpdump not like tun0 or ppp? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message