Re: How to dump packet after filtered

• Next message: Hekkk Hekk: "realtime option."
• Previous message: Daikichi Osuga: "Re: [Question] Rexmt Pkts and Triple Duplicate Acks"
• In reply to: Manikantan Ramadas: "Re: How to dump packet after filtered"
• Next in thread: Manikantan Ramadas: "Re: How to dump packet after filtered"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Message-ID: <20020408050230.93927.qmail@web14903.mail.yahoo.com>
Date: Sun, 7 Apr 2002 22:02:30 -0700 (PDT)
From: Hekkk Hekk <kfc_argus@yahoo.com>
Subject: Re: How to dump packet after filtered

Dear Manikantan
  Thanks for your help... I am very clear in b_
charecter. Ok from your suggestion it still slove my
main point .. The point is I cannot dump packets that
matched from filter option. From my example ... wee
file dump like this

# tcptrace wee
1 arg remaining, starting with 'wee'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.039474, 4027 p#
tcptrace '-fport!=113' -O'ddd' wee
Output filter: ((c_port!=113)OR(s_port!=113))
1 arg remaining, starting with 'wee'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.050932, 3121 pkts/sec
analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  2: 10.226.37.69:33890 - 10.226.37.70:113 (c2d)
1> 1< (reset)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  5: 10.226.37.69:33891 - 10.226.37.72:113 (i2j)
1> 1< (reset)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)kts/sec analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  2: 10.226.37.69:33890 - 10.226.37.70:113 (c2d)
1> 1< (reset)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  5: 10.226.37.69:33891 - 10.226.37.72:113 (i2j)
1> 1< (reset)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)

    So I want to dump packets that either client or
server port is not 113 (from above tcptrace output:
connection 2 and 5 will discarded) with this command.
# tcptrace '-fport!=113' -O'ddd' wee
Output filter: ((c_port!=113)OR(s_port!=113))
1 arg remaining, starting with 'wee'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.050932, 3121 pkts/sec
analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  2: 10.226.37.69:33890 - 10.226.37.70:113 (c2d)
1> 1< (reset)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  5: 10.226.37.69:33891 - 10.226.37.72:113 (i2j)
1> 1< (reset)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)

        But!!! , connection 2 and 5 still display ...So I try
this command
# tcptrace '-fb_port!=113' -O'eee' wee
Output filter: ((c_port!=113)AND(s_port!=113))
1 arg remaining, starting with 'wee'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.040652, 3911 pkts/sec
analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)

        It discard 2 and 5 ...Why? after that I try to see
'ddd' and 'eee' dump file

# tcptrace ddd
1 arg remaining, starting with 'ddd'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.040680, 3908 pkts/sec
analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  2: 10.226.37.69:33890 - 10.226.37.70:113 (c2d)
1> 1< (reset)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  5: 10.226.37.69:33891 - 10.226.37.72:113 (i2j)
1> 1< (reset)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)

# tcptrace eee
1 arg remaining, starting with 'eee'
Ostermann's tcptrace -- version 6.0.1 -- Mon Dec 3,
2001

159 packets seen, 159 TCP packets traced
elapsed wallclock time: 0:00:00.038021, 4181 pkts/sec
analyzed
trace file elapsed time: 0:00:56.091083
TCP connection info:
*** 16 packets were too short to process at some point
        (use -w option to show details)
  1: 10.226.37.70:2582 - 10.226.37.69:21 (a2b)
29> 21< (complete)
  2: 10.226.37.69:33890 - 10.226.37.70:113 (c2d)
1> 1< (reset)
  3: 10.226.37.69:20 - 10.226.37.70:2583 (e2f)
6> 5< (complete)
  4: 10.226.37.72:1024 - 10.226.37.69:21 (g2h)
26> 19< (complete)
  5: 10.226.37.69:33891 - 10.226.37.72:113 (i2j)
1> 1< (reset)
  6: 10.226.37.72:1025 - 10.226.37.69:11104 (k2l)
5> 5< (complete)
  7: 10.226.37.72:1026 - 10.226.37.69:20828 (m2n)
5> 6< (complete)
  8: 10.226.37.69:20 - 10.226.37.70:2584 (o2p)
6> 5< (complete)
  9: 10.226.37.69:20 - 10.226.37.70:2585 (q2r)
10> 7< (complete)

  And view files.
# ls -al
total 5740
drwxrwxr-x 2 root root 4096 Apr 8
11:55 .
drwxrwxr-x 7 root root 4096 Apr 7
22:34 ..
-rw-rw-r-- 1 root root 13221 Apr 8
11:55 ddd
-rw-rw-r-- 1 root root 13221 Apr 8
11:55 eee
-rw-rw-r-- 1 root root 13226 Apr 8
00:12 wee

        So Why? I am not sure that I use right option.. Why
size of ddd and eee are same? Why wee and ddd/eee are
differance?

Thank you
Chong

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.

• Next message: Hekkk Hekk: "realtime option."
• Previous message: Daikichi Osuga: "Re: [Question] Rexmt Pkts and Triple Duplicate Acks"
• In reply to: Manikantan Ramadas: "Re: How to dump packet after filtered"
• Next in thread: Manikantan Ramadas: "Re: How to dump packet after filtered"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 04/08/02 EDT