[TriLUG] tcpdump src matching problem
OlsonE at aosa.army.mil
OlsonE at aosa.army.mil
Mon Aug 14 11:58:51 EDT 2006
Ethereal? Don't they have a CLI?
-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
Behalf Of Ryan Leathers
Sent: Monday, August 14, 2006 11:55 AM
To: trilug at trilug.org
Subject: [TriLUG] tcpdump src matching problem
So, tcpdump isn't matching what I want it to.
Quick requirement:
I want tcpdump to capture the first frame it sees of a certain multicast
type. I don't want it to match on a frame with a particular source
address. Sound simple enough?
Problem:
frames from the unwanted src MAC are being matched anyway
More detail:
I want to see a CDP packet from the Cisco switch I am connected to. I
don't care to run this 24x7. I just need an answer-on-demand where I
run the script and see which switch and port I am connected to.
I have some parsing lines in a bash script to make the output pretty.
I don't want to parse more than the first match I see, since that makes
the parsing tougher, however, since I also send CDP packets out to
advertise my Linux host to the Cisco switch, I also need to make sure
that my own CDP multicast is not being matched or the results will be
useless.
I use this line to find my MAC address:
export lowestmac=`ifconfig | grep HWaddr -m 1 | awk '{print $5}'`
I use this line to match the frame:
tcpdump -c 1 -tvs 1500 ether dst 01:00:0c:cc:cc:cc and not ether src
$lowestmac > $cdpdata
Then I parse the stuff in $cdpdata
The trouble is the "not ether src $lowestmac" doesn't seem to be
observed and I get matches from my Linux host anyway.
Any thoughts on this?
--
TriLUG mailing list :
http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member
Services FAQ : http://members.trilug.org/services_faq/
More information about the TriLUG
mailing list