From owner-freebsd-questions@FreeBSD.ORG Sun Nov 4 06:49:25 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9B1616A418 for ; Sun, 4 Nov 2007 06:49:25 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.freebsd.org (Postfix) with ESMTP id 6311B13C4B2 for ; Sun, 4 Nov 2007 06:49:25 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.2] (pool-71-109-155-74.lsanca.dsl-w.verizon.net [71.109.155.74]) (authenticated bits=0) by zoot.lafn.org (8.13.6/8.13.4) with ESMTP id lA46JHBU028763 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 3 Nov 2007 23:19:18 -0700 (PDT) (envelope-from bc979@lafn.org) In-Reply-To: <472D2FFB.5050204@gmail.com> References: <472D2FFB.5050204@gmail.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <5F99BE99-A5BA-4B07-83C1-5EE57C12E9F9@lafn.org> Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Sat, 3 Nov 2007 23:20:33 -0700 To: deeptech71@gmail.com X-Mailer: Apple Mail (2.752.3) X-Virus-Scanned: ClamAV 0.88.7/4671/Sat Nov 3 18:21:59 2007 on zoot.lafn.org X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: reverse grep X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Nov 2007 06:49:25 -0000 On Nov 3, 2007, at 19:35, deeptech71@gmail.com wrote: > heh > I've read (kind of skimmed) the grep man page but i seem to have > missed the -v for some reason ^^ The use of grep -v will work as long as the tcpdump output is limited to one line per packet. However, some of the tcpdump options produce multiple lines per packet. Those will appear to be jumbled as the initial line for the packet will not be included but the following lines will. The best approach to using tcpdump in these situations is to use the -w option to write the raw data to a file. Then use the -r to read it back in and filter using the tcpdump filters which do include the not function. That way if you don't get what you need, you can try again on the same data.