stan wrote:
Now, I really ought to learn something from this exercise. What does teh
proto keyword mean, and where can I look up values for it?
See the tcpdump man page, if you're running on a UN*X system - or, if
"man tcpdump" at the command line doesn't work, see
http://www.tcpdump.org/tcpdump_man.html
On Windows, see the WinDump man page:
http://www.winpcap.org/windump/docs/manual.htm
(the main differences that will matter here are differences due to
additional filtering capabilities being added to libpcap over time).
See the section that begins with
expression
selects which packets will be dumped. If no expression is given,
all packets on the net will be dumped. Otherwise, only packets for which
expression is `true' will be dumped.
That section describes the filter expressions supported by libpcap - and
thus by applications that use it for filtering, such as tcpdump/WinDump
and Wireshark/TShark.
"proto" refers to a variety of protocol type fields; in this case, it's
referring to the IP protocol field. On UN*X systems, at least, you'll
probably file a file "/etc/protocols" on your system, which has a list
of protocol names and numbers; the names can be used instead of the
numbers, e.g.:
$ egrep ospf /etc/protocols
ospf 89 OSPFIGP # Open Shortest Path First IGP
which means "proto ospf" would be equivalent to "proto 89".
The *full* list of protocols can be found at
http://www.iana.org/assignments/protocol-numbers
