From owner-freebsd-questions  Thu Jun 29 15:06:50 1995
Return-Path: questions-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id PAA09365
          for questions-outgoing; Thu, 29 Jun 1995 15:06:50 -0700
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id PAA09359
          for <questions@freebsd.org>; Thu, 29 Jun 1995 15:06:49 -0700
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14991(6)>; Thu, 29 Jun 1995 15:06:12 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <49860>; Thu, 29 Jun 1995 15:06:03 -0700
X-Mailer: exmh version 1.6.1 5/23/95
To: Network Coordinator <nc@ai.net>
cc: questions@freebsd.org
Subject: Re: BPF and tcpdump. 
In-reply-to: Your message of "Wed, 28 Jun 95 21:08:48 PDT."
             <Pine.BSF.3.91.950629000754.5236A-100000@aries.ai.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 29 Jun 1995 15:06:00 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <95Jun29.150603pdt.49860@crevenia.parc.xerox.com>
Sender: questions-owner@freebsd.org
Precedence: bulk

In message <Pine.BSF.3.91.950629000754.5236A-100000@aries.ai.net> you write:
>Is there anyway to get tcpdump to match across the contents of a packet 
>instead of the header,

If you are simply looking for a byte pattern, then you can use the offset of 
the bytes from the start of the IP header.  For example, when I want to look 
for multicast traceroute packets, I use:

tcpdump -x ip proto 2 and ( ip[20] == 0x1f or ip[20] == 0x1e )

since the IGMP type field is 20 bytes away from the ip header.

> and more importantly [even if it can't] is there a 
>way to get it to print the entire contents of packet flow instead of just 
>headers?

'-x' prints out a hex dump, '-s' increases the amount of data captured 
(normally it only captures enough to be able to print out packet headers.)

"man tcpdump" helps a lot.

  Bill