> Remember, capture filters use tcpdump-like filters.
Yes, but the "tcpdump" man page here seems to imply that
tcp port 23
should work with "libpcap":
port <port>
True if either the source or destination port of
the packet is <port>. Any of the above port expres-
sions can be prepended with the keywords, "tcp" or
"udp", as in:
tcp src port port
which matches only tcp packets whose source port
is <port>.
and, at least on a Solaris Sun here, it worked, capturing Telnet traffic
from the Sun to other machines.
However:
expr relop expr
True if the relation holds, where relop is one of
>, <, >=, <=, =, !=, and expr is an arithmetic
expression composed of integer constants
(expressed in standard C syntax), the normal
binary operators [+, -, *, /, &, |], a length
operator, and special packet data accessors. ...
appears to imply that the relational operators can't be used with stuff
like "tcp port", only with the "packet data accessors":
... To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp,
udp, or icmp, and indicates the protocol layer for
the index operation. The byte offset, relative to
the indicated protocol layer, is given by expr.
Size is optional and indicates the number of bytes
in the field of interest; it can be either one,
two, or four, and defaults to one. The length
operator, indicated by the keyword len, gives the
length of the packet.
which would explain why
tcp port >= 23 and tcp port <= 1024
tcp port > 22
didn't work.
