Date: Thu, 29 Jun 1995 15:06:00 PDT From: Bill Fenner <fenner@parc.xerox.com> To: Network Coordinator <nc@ai.net> Cc: questions@freebsd.org Subject: Re: BPF and tcpdump. Message-ID: <95Jun29.150603pdt.49860@crevenia.parc.xerox.com> In-Reply-To: Your message of "Wed, 28 Jun 95 21:08:48 PDT." <Pine.BSF.3.91.950629000754.5236A-100000@aries.ai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.91.950629000754.5236A-100000@aries.ai.net> you write: >Is there anyway to get tcpdump to match across the contents of a packet >instead of the header, If you are simply looking for a byte pattern, then you can use the offset of the bytes from the start of the IP header. For example, when I want to look for multicast traceroute packets, I use: tcpdump -x ip proto 2 and ( ip[20] == 0x1f or ip[20] == 0x1e ) since the IGMP type field is 20 bytes away from the ip header. > and more importantly [even if it can't] is there a >way to get it to print the entire contents of packet flow instead of just >headers? '-x' prints out a hex dump, '-s' increases the amount of data captured (normally it only captures enough to be able to print out packet headers.) "man tcpdump" helps a lot. Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95Jun29.150603pdt.49860>