Forum Discussion

moog67_108621's avatar
moog67_108621
Icon for Nimbostratus rankNimbostratus
Jul 14, 2014

tcpdump portrange option

Hi everyone,   I'm trying to capture traffic directed to a certain range of tcp ports with tcpdump. When using the "portrange" expression I get a syntax error:   tcpdump -i -s0 -w capture_file...
application delivery
LTM
management
performance
  • mimlo_61970's avatar
    mimlo_61970
    Jul 18, 2014

    try:

     

    tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082

     

    This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.

     

    This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2

     

    Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.

     

mimlo_61970's avatar
mimlo_61970
Icon for Cumulonimbus rankCumulonimbus
Jul 14, 2014

Weird, it definitely doesn't work on 10.2.4 the same way it works in 11. It seems to require another option like src or dst.

 

'src portrange 8080-8082 or dst portrange 8080-8082' appears to work.

 

  • adityoari_14383's avatar
    adityoari_14383
    Historic F5 Account
    Jul 15, 2014
    I haven't look at the each versions yet, but I strongly suspect that v11 & v10.2.4 have different versions of tcpdump and/or libpcap, whose older versions haven't had the support for the "standalone" portrange filter
  • moog67_108621's avatar
    moog67_108621
    Icon for Nimbostratus rankNimbostratus
    Jul 18, 2014
    Hi everyone, Still no good for me, even with the above options the command does not work. Here's my version of tcpdump: [xxxxxxxxx:Active] log tcpdump --help tcpdump version 3.9.4 libpcap version 0.7.2 Could you please share the syntax of the command line you're using?, does it effectively work? Many thanks, moog67