From owner-freebsd-hackers@FreeBSD.ORG  Sun Jan  4 20:54:22 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9A11B1065675
	for <hackers@freebsd.org>; Sun,  4 Jan 2009 20:54:22 +0000 (UTC)
	(envelope-from kitchetech@gmail.com)
Received: from mail-bw0-f19.google.com (mail-bw0-f19.google.com
	[209.85.218.19])
	by mx1.freebsd.org (Postfix) with ESMTP id E4D018FC12
	for <hackers@freebsd.org>; Sun,  4 Jan 2009 20:54:21 +0000 (UTC)
	(envelope-from kitchetech@gmail.com)
Received: by bwz12 with SMTP id 12so19160706bwz.19
	for <hackers@freebsd.org>; Sun, 04 Jan 2009 12:54:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:cc:in-reply-to:mime-version:content-type:references;
	bh=OfRMldUykQcs56jpfic5xeEgqVEJuTUfyVoVus1CdC0=;
	b=s7iUh1YU3y4lwNTMUvjMsiiNshmKawpC2p9TlWirxvMDvMY87O0uFZ1RhLHL9E2y96
	9Q/H2vbmQwhHYwjCkqxxByrYH22AYT2RozEUJTcBuVQYa3DtPY09gCYa21inqLMF1a6s
	zFXL3rb3oPAra7i27IeR+4libiJQzttb4JcCw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:cc:in-reply-to:mime-version
	:content-type:references;
	b=fLS9xQOEJAhN1ZjUPs16MMjiBNsYw0ZCFVIiWtODM4KyCXaDYDcVWFYrJang3fqFFE
	Heub/SfuajZ3imzxhVP1PtEO5DX5kOYzg8YysEyeGCiptvhpdd++Woqe+d9BYx0DHqjV
	/EHBwBheQAtRFvyTec2u0kJ84UM1cZwXXLW+o=
Received: by 10.181.197.1 with SMTP id z1mr7793145bkp.118.1231100596607;
	Sun, 04 Jan 2009 12:23:16 -0800 (PST)
Received: by 10.181.14.6 with HTTP; Sun, 4 Jan 2009 12:23:16 -0800 (PST)
Message-ID: <28283d910901041223x7210db5lcf8df9ef5f1da56b@mail.gmail.com>
Date: Sun, 4 Jan 2009 15:23:16 -0500
From: "matt donovan" <kitchetech@gmail.com>
To: "Eugene Grosbein" <eugen@kuzbass.ru>
In-Reply-To: <20090104155638.GA76773@svzserv.kemerovo.su>
MIME-Version: 1.0
References: <179479624.20090104160500@yandex.ru>
	<20090104155638.GA76773@svzserv.kemerovo.su>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: KES <kes-kes@yandex.ru>, hackers@freebsd.org
Subject: Re: tcpdump filter for out/in traffic
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jan 2009 20:54:23 -0000

On Sun, Jan 4, 2009 at 10:56 AM, Eugene Grosbein <eugen@kuzbass.ru> wrote:

> On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote:
>
> > There will be very usefull to have options for tcpdump to monitor
> > incomint or outgoing traffic regardless of src/dst IPs or ports or
> protocol
> >
> > For example:
> >
> > kes# tcpdump -n -i rl4 out
> > EXPECTED: show traffic outgoing on rl4
> > ACTUAL: tcpdump: syntax error
> >
> > kes# tcpdump -n -i rl4 in
> > EXPECTED: show traffic incoming on rl4
> > ACTUAL: tcpdump: syntax error
>
> Hi!
>
> I use following trick for that:
>
> tcpdump -n -p -i rl4 ether src me-rl4     # for outgoing
> tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming
>
> And add MAC-address of rl4 to /etc/ethers with name 'me-rl4'
> or just 'me' if you need not watch other interfaces this way.
>
> Eugene Grosbein
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>

don't even need an option you just have to filter the traffic correctly
using tcpdump which Eugene already point out