[TriLUG] tcpdump src matching problem

Jason jason at monsterjam.org
Mon Aug 14 12:51:21 EDT 2006 

yeah, its called tethereal

JAson

On Mon, Aug 14, 2006 at 11:58:51AM -0400, OlsonE at aosa.army.mil wrote:
> Ethereal? Don't they have a CLI? 
> 
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
> Behalf Of Ryan Leathers
> Sent: Monday, August 14, 2006 11:55 AM
> To: trilug at trilug.org
> Subject: [TriLUG] tcpdump src matching problem
> 
> So, tcpdump isn't matching what I want it to.
> 
> Quick requirement:
> 
> I want tcpdump to capture the first frame it sees of a certain multicast
> type.  I don't want it to match on a frame with a particular source
> address.  Sound simple enough?
> 
> Problem:
> 
> frames from the unwanted src MAC are being matched anyway
> 
> 
> More detail:
> 
> I want to see a CDP packet from the Cisco switch I am connected to.  I
> don't care to run this 24x7.  I just need an answer-on-demand where I
> run the script and see which switch and port I am connected to.
> 
> I have some parsing lines in a bash script to make the output pretty.
> I don't want to parse more than the first match I see, since that makes
> the parsing tougher, however, since I also send CDP packets out to
> advertise my Linux host to the Cisco switch, I also need to make sure
> that my own CDP multicast is not being matched or the results will be
> useless.
> 
> I use this line to find my MAC address:
> export lowestmac=`ifconfig | grep HWaddr -m 1 | awk '{print $5}'`
> 
> I use this line to match the frame:
> tcpdump -c 1 -tvs 1500 ether dst 01:00:0c:cc:cc:cc and not ether src
> $lowestmac > $cdpdata
> 
> Then I parse the stuff in $cdpdata
> 
> The trouble is the "not ether src $lowestmac" doesn't seem to be
> observed and I get matches from my Linux host anyway.
> 
> Any thoughts on this?
> 
> 
>  
> 
> -- 
> TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/ TriLUG Member
> Services FAQ : http://members.trilug.org/services_faq/
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-- 
================================================
|    Jason Welsh   jason at monsterjam.org        |
| http://monsterjam.org    DSS PGP: 0x5E30CC98 |
|    gpg key: http://monsterjam.org/gpg/       |
================================================

More information about the TriLUG mailing list