Ethereal-dev: Re: [Ethereal-dev] tethereal -d tcp.port==1234,http -c 5

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 3 Jun 2004 01:29:38 -0700
On Thu, Jun 03, 2004 at 10:02:22AM +0530, Durai wrote:
> Hello All,
> 
>                 I read in tethereal man page that,
> 
> -d tcp.port==8888,http will decode any traffic running over TCP port 8888 as
> HTTP.
> 
> I did the above command over TCP port 1234 ( no process running or
> listening ). But it capture the packets.
> 
> $ netstat -na | grep -E 1234
> $ tethereal -d tcp.port==1234,http -c 5
> Capturing on lan0
>   0.000000 172.16.1.158 -> 172.16.1.26  TELNET Telnet Data ...
>   0.002176 172.16.1.158 -> 172.16.1.26  TELNET Telnet Data ...
>   0.002352 172.16.1.158 -> 172.16.1.26  TELNET Telnet Data ...
>   0.002484 172.16.1.158 -> 172.16.1.26  TELNET Telnet Data ...
>   0.002606  172.16.1.26 -> 172.16.1.158 TCP 1371 > telnet [ACK] Seq=0 Ack=9
> Win=17241 Len=0 5 packets captured

The last of those packets is from port 1371 to port 23; if all of the
packets before it are from port 23 to port 1371, then it'd be dissected
as Telnet because it's from port 23, which is the port for Telnet.

In addition, if all of the packets befor it are from port 23 to port
1371, it's irrelevant whether you specified "-d tcp.port==1234,http" as
there isn't any traffic to or from port 1234.

If you only want to capture traffic to or from port 1234, you'd need to
use a capture filter:

	tethereal -d tcp.port==1234,http -c 5 tcp port 1234

and if that prints no packets, it probably means your machine isn't
seeing any traffic to or from port 1234.  (Note that even if there's
traffic on your network to or from port 1234, unless that traffic is to
or from the machine on which you're running Tethereal, on the interface
Tethereal is using, there's no guarantee that your machine will see it:

	http://www.ethereal.com/faq.html#q5.1

.)