The -d option does something different than what botho is asking; it doesn't display the captured data in a different format, it displays the capture program that it writes.
The 'capture filter' in tcpdump works by parsing the filter string during startup, and then writing an optimized machine-language filter subroutine which is called for each packet. The -d option shows that subroutine, in assembler language, which is 'human' compared to the raw machine language that -dd or -ddd would show.
For example, if I want to capture only TCP packets, ignoring all UDP, ICMP, and non-IP packets, I would use tcpdump tcp . Adding -d and running it, I get:
In (pseudo)Perl, that translates to:$ tcpdump -d tcp (000) ldh [12] (001) jeq #0x86dd jt 2 jf 4 (002) ldb [20] (003) jeq #0x6 jt 7 jf 8 (004) jeq #0x800 jt 5 jf 8 (005) ldb [23] (006) jeq #0x6 jt 7 jf 8 (007) ret #96 (008) ret #0
The -d option is really there for debugging the filter's parser and optimizer.use constant IPv4 => 0x0800; # Regular TCP/IP use constant IPv6 => 0x86dd; # New and improved! use constant TCP => 0x06; # As opposed to UDP or ICMP sub filter { my $type = unpack 'x12 n1', $_; my $proto; if ( $type == IPv6 ) { $proto = unpack 'x20 C1', $_; elsif ( $type == IPv4 ) { $proto = unpack 'x23 C1', $_; else { return; } return 1 if $proto == TCP; return; }
All this explains why Ethereal supports two completely different filter languages. The 'capture' filters are identical (and as efficient) to tcpdump's filters, but the slower non-compiled 'read' filters provide much more power.
In reply to Re: Re: converting tcpdump files
by Util
in thread converting tcpdump files
by botho
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |