tcpdump mailing list archives
Re: pcap range no worky on ppc? (e.g. udp[2:2] >= 137 && udp[2:2] <= 139)
From: Guy Harris <guy () alum mit edu>
Date: Thu, 17 Jun 2004 01:29:56 -0700
On Thu, Jun 17, 2004 at 03:19:40PM +1000, Ben Low wrote:
I attempted to use the following expression to filter netbios stuff:
udp[2:2] >= 137 && udp[2:2] <= 139
However this expression only captures port 137 packets on my two Power
PC machines:
- linux 2.4.18 ppc (debian)
tcpdump version 3.8.3 / libpcap version 0.8.3
- OS X 10.3.4 PowerBook (fink)
tcpdump version 3.8-cvs / libpcap version 0.8
It works as expected on an x86 linux box (tcpdump version 3.6.3 /
libpcap version 0.6). Is this a pcap 0.8, or PPC (endianness?) problem?
It's a pcap 0.8 problem:
https://sourceforge.net/tracker/index.php?func=detail&aid=940212&group_id=53067&atid=469577
There's no UDP port 139 NetBIOS-over-TCP stuff, so if you want NBT
traffic, try
udp port 137 or udp port 138 or tcp port 139
which shouldn't have a problem with that optimizer bug - and, for
completeness, try
udp port 137 or udp port 138 or tcp port 139 or tcp port 445
to catch CIFS-over-TCP (without the NBT layer).
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- pcap range no worky on ppc? (e.g. udp[2:2] >= 137 && udp[2:2] <= 139) Ben Low (Jun 17)
- Re: pcap range no worky on ppc? (e.g. udp[2:2] >= 137 && udp[2:2] <= 139) Guy Harris (Jun 17)
- Re: pcap range no worky on ppc? (e.g. udp[2:2] Ben Low (Jun 17)
- Re: pcap range no worky on ppc? (e.g. udp[2:2] >= 137 && udp[2:2] <= 139) Guy Harris (Jun 17)