From owner-freebsd-questions@FreeBSD.ORG Sat Apr 8 13:19:55 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E7F416A400 for ; Sat, 8 Apr 2006 13:19:55 +0000 (UTC) (envelope-from freebsd@orchid.homeunix.org) Received: from orchid.homeunix.org (aup68.neoplus.adsl.tpnet.pl [83.27.23.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B92DE43D6E for ; Sat, 8 Apr 2006 13:19:46 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.4/8.13.4) with ESMTP id k38DJUu6086724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 8 Apr 2006 15:19:38 +0200 (CEST) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <4437B85C.8020408@orchid.homeunix.org> Date: Sat, 08 Apr 2006 15:19:24 +0200 From: Karol Kwiatkowski User-Agent: Thunderbird 1.5 (X11/20060401) MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 OpenPGP: id=06E09309; url=http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1C9D79AF3435177E0C5D9E47" X-Virus-Scanned: ClamAV 0.88.1/1384/Sat Apr 8 13:35:26 2006 on orchid.homeunix.org X-Virus-Status: Clean Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: help with tcpdump cmd syntax X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Apr 2006 13:19:55 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1C9D79AF3435177E0C5D9E47 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 08/04/2006 14:56, fbsd_user wrote: > I tried=20 > tcpdump -i rl0 src host 218.166.163.180 -w /usr/tcpdump.data > tcpdump -i rl0 host 218.166.163.180 -w /usr/tcpdump.data > tcpdump -i rl0 src ip 218.166.163.180 -w /usr/tcpdump.data =20 >=20 > but got syntax error msg with no hint of what was wrong >=20 > If I remove the -w stuff it works. Meaning it prints to the screen. > But I want to write to file >=20 > Can you help me out here on the syntax error? Have a look at 'tcpdump -h' (or man, of course). Expression (i.e. 'src host 218.166.163.180') is the last argument. This should work: tcpdump -i rl0 -w /usr/tcpdump.data src host 218.166.163.180 > One other thing. When does tcpdump get access to the packet? >=20 > My firewall has a block log rule for that ip address.=20 > Does tcpdump see the packet before ipfilter ipnat does? Yes. I'm not familiar with kernel code, but I can perfectly see all packets with tcpdump. HTH, Karol --=20 Karol Kwiatkowski OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc --------------enig1C9D79AF3435177E0C5D9E47 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEN7hjezeoPAwGIYsRAvUTAJ0c35QHZ+frGEG7qVxREI5IrWs3tQCfesp6 Obtgv5DBgRn7qH+9+2AxkbU= =qST/ -----END PGP SIGNATURE----- --------------enig1C9D79AF3435177E0C5D9E47--