On Jul 19, 2007, at 9:07 AM, juan.wortley@xxxxxxx wrote:
be sure you don´t want to say:
tcpdump -i eth0 -s 0 -w dump (host 192.168.0.1 or host 192.168.0.2)
and port 443
To quote the tcpdump man page:
host host
True if either the IPv4/v6 source or
destination of the
packet is host.
...
port port
True if either the source or destination
port of the
packet is port.
This means that "host 192.168.0.1 and host 192.168.0.2 and port 443"
means "(the source or destination host is 192.168.0.1) and (the source
or destination host is 192.168.0.2) and (the source or destination
port is 443)".
That matches all traffic that's either:
from 192.168.0.1 and to 192.168.0.1;
from 192.168.0.1 and to 192.168.0.2;
from 192.168.0.2 and to 192.168.0.1;
from 192.168.0.2 and to 192.168.0.2;
and that's to or from port 443.
This also means that "(host 192.168.0.1 or host 192.168.0.2) and port
443" means "((the source or destination host is 192.168.0.1) or (the
source or destination host is 192.168.0.2)) and (the source or
destination port is 443)".
That matches all traffic that's either:
from 192.168.0.1;
to 192.168.0.1;
from 192.168.0.2;
to 192.168.0.2;
and that's to or from port 443.
The first of those doesn't, for example, match traffic from
192.168.0.1 to 216.34.131.135; it only matches traffic between
192.168.0.1 and 192.168.0.2, traffic from 192.168.0.1 to itself (if
that can be captured on eth0, which it probably can't), and traffic
from 192.168.0.2 to itself (again, if that can be captured on eth0,
which it probably can't). The second of those does match, for
example, traffic from 192.168.0.1 to 216.34.131.135.
(All of this also applies to Wireshark/TShark, of course, as they use
the same capture filter compiler and so on.)
