Re: "not upd" doesn't work in compound filter

[Guy Harris <guy () alum mit edu>]

On Aug 14, 2011, at 11:15 AM, George Liang wrote:

> With below tcpdump command (in Ubuntu), I want to get multicast traffic, non udp, ..., but the filter "! udp" doesn't 
> work. It gives output of UDP packets.
>
> sudo tcpdump -r tw 'ether[0] & 0xFF == 1' && ! udp && host 192.168.1.1 && greater 300

If that's the command you typed, note that not only does "&" mean something special to the shell, so does "&&".  That 
means you need to quote more than just "ether[0] & 0xFF == 1", so try quoting the entire expression:

        sudo tcpdump -r tw 'ether[0] & 0xFF == 1 && ! udp && host 192.168.1.1 && greater 300'

or maybe just

        sudo tcpdump -r tw 'ether multicast && ! udp && host 192.168.1.1 && greater 300'

or try using "and" rather than "&&":

        sudo tcpdump -r tw 'ether[0] & 0xFF == 1' and ! udp and host 192.168.1.1 and greater 300

Also, if you're reading from a capture file, rather than capturing live traffic, "sudo" isn't necessary.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.