From owner-freebsd-hackers@FreeBSD.ORG  Sun Jan  4 16:26:17 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 33DB51065688
	for <hackers@freebsd.org>; Sun,  4 Jan 2009 16:26:17 +0000 (UTC)
	(envelope-from eugen@kuzbass.ru)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])
	by mx1.freebsd.org (Postfix) with ESMTP id 92CD58FC18
	for <hackers@freebsd.org>; Sun,  4 Jan 2009 16:26:16 +0000 (UTC)
	(envelope-from eugen@kuzbass.ru)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id n04FucOV077032;
	Sun, 4 Jan 2009 22:56:38 +0700 (KRAT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id n04FucD1077031;
	Sun, 4 Jan 2009 22:56:38 +0700 (KRAT) (envelope-from eugen)
Date: Sun, 4 Jan 2009 22:56:38 +0700
From: Eugene Grosbein <eugen@kuzbass.ru>
To: KES <kes-kes@yandex.ru>
Message-ID: <20090104155638.GA76773@svzserv.kemerovo.su>
References: <179479624.20090104160500@yandex.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <179479624.20090104160500@yandex.ru>
User-Agent: Mutt/1.4.2.3i
X-Mailman-Approved-At: Sun, 04 Jan 2009 17:01:47 +0000
Cc: hackers@freebsd.org
Subject: Re: tcpdump filter for out/in traffic
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jan 2009 16:26:17 -0000

On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote:

> There will be very usefull to have options for tcpdump to monitor
> incomint or outgoing traffic regardless of src/dst IPs or ports or protocol
> 
> For example:
> 
> kes# tcpdump -n -i rl4 out
> EXPECTED: show traffic outgoing on rl4
> ACTUAL: tcpdump: syntax error
> 
> kes# tcpdump -n -i rl4 in
> EXPECTED: show traffic incoming on rl4
> ACTUAL: tcpdump: syntax error

Hi!

I use following trick for that:

tcpdump -n -p -i rl4 ether src me-rl4     # for outgoing
tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming

And add MAC-address of rl4 to /etc/ethers with name 'me-rl4'
or just 'me' if you need not watch other interfaces this way.

Eugene Grosbein