From owner-freebsd-questions  Wed Apr 10 05:07:02 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA28986
          for questions-outgoing; Wed, 10 Apr 1996 05:07:02 -0700 (PDT)
Received: from nixpbe.pdb.sni.de (mail.sni.de [192.109.2.33])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA28981
          for <freebsd-questions@freebsd.org>; Wed, 10 Apr 1996 05:06:53 -0700 (PDT)
Received: (from nerv@localhost) by nixpbe.pdb.sni.de (8.6.12/8.6.12) id OAA27198 for freebsd-questions@freebsd.org; Wed, 10 Apr 1996 14:06:35 +0200
Message-Id: <199604101206.OAA27198@nixpbe.pdb.sni.de>
Subject: Re: Violently pulling out my hair
To: branson@longstreet.larc.nasa.gov (Branson Matheson)
Date: Wed, 10 Apr 96 14:03:00 MET DST
From: Greg Lehey <lehey.pad@sni.de>
Cc: lehey.pad@sni.de, freebsd-questions@freebsd.org
In-Reply-To: <199604101204.IAA12187@longstreet.larc.nasa.gov>; from "Branson Matheson" at Apr 10, 96 8:04 am
X-Mailer: xmail 2.4 (based on ELM 2.2 PL16)
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>> Allright so next i tried...
>>>
>>> 	branson@garion #tcpdump ether host 08:00:09:d4:65:ff
>>> 	tcpdump: ethernet address used in non-ether expression
>>>
>>> This is really frustrating.. can any one help?
>>
>> This looks to me like tcpdump is going for the wrong interface.  The
>> message tells you that you can only use this option on an Ethernet
>> or FDDI interface.  Assuming that you are really trying to trace an
>> Ethernet interface (say, ed0), try:
>>
>> tcpdump -i ed0 ether host 08:00:09:d4:65:ff
>
>  That did work.. thanks... I am not sure why it needs the ethernet
> interface to be specified... but I will do it in the future.

RTFM.  By default, tcpdump goes for the first network interface it
finds.  In almost every installation, this is the only ethernet
interface.  In your case, it obviously isn't.  Try:

$ netstat -i
Name  Mtu   Network     Address            Ipkts Ierrs    Opkts Oerrs  Coll
ed0   1500  <Link>00.00.c0.bc.55.7d     27876404     0 33199370     0 1359110
ed0   1500  204.216.27  freefall.FreeBS 27876404     0 33199370     0 1359110
lo0   16384 <Link>                         69899     0    69899     0     0
lo0   16384 your-net    localhost.cdrom    69899     0    69899     0     0
ppp0* 1500  <Link>                             0     0        0     0     0
ppp1* 1500  <Link>                             0     0        0     0     0
sl0   552   <Link>                        427566    29   423782     5     0
sl0   552   204.216.27. jkh-sl0-f.cdrom   427566    29   423782     5     0
sl1*  552   <Link>                             0     0        0     0     0

The example is from freefall.  I'd guess that your system will show
another interface before the internet interface.

Greg