Forum Discussion
tcpdump portrange option
Hi everyone,
I'm trying to capture traffic directed to a certain range of tcp ports with tcpdump. When using the "portrange" expression I get a syntax error:
tcpdump -i -s0 -w capture_file.trc portrange 8080-8082 tcpdump: syntax error in filter expression
Is this expression supported on BIG-IP (1600 10.2.4 HF5)?
Thanks in advance, Regards.
moog67
try:
tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082
This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.
This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2
Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.
- mimlo_61970Cumulonimbus
try:
tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082
This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.
This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2
Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.
Glad you found a reply for this! Here's a few articles by tcpdump enthusiast JRahm in case you (or anyone else) is interested:
- moog67_108621NimbostratusThanks mimlo!! It finally worked as I need it, I can see traffic on both directions as well. We'll be upgrading to 11.x in the short term , I'll give it another go then. Regards moog67
- mimlo_61970Cumulonimbus
Weird, it definitely doesn't work on 10.2.4 the same way it works in 11. It seems to require another option like src or dst.
'src portrange 8080-8082 or dst portrange 8080-8082' appears to work.
- moog67_108621NimbostratusHi everyone, Still no good for me, even with the above options the command does not work. Here's my version of tcpdump: [xxxxxxxxx:Active] log tcpdump --help tcpdump version 3.9.4 libpcap version 0.7.2 Could you please share the syntax of the command line you're using?, does it effectively work? Many thanks, moog67
- adityoari_14383Historic F5 AccountI haven't look at the each versions yet, but I strongly suspect that v11 & v10.2.4 have different versions of tcpdump and/or libpcap, whose older versions haven't had the support for the "standalone" portrange filter
- adityoari_14383Historic F5 Account
is that the syntax you actually used? because it's missing the interface name
- moog67_108621NimbostratusOoops!! I guess it was a copy/paste issue... The actual syntax I'm using is: tcpdump -i SRV -s0 -w capture_file.trc portrange 8080-8082 Where SRV is the alias for the interface where the traffic is coming/going. I'm just interested in the traffic directed to TCP ports 8080,8081 and 8082. Thanks moog67
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com