schrieb Jeremy Chadwick am 24.10.2012 18:51 (localtime): > ... > # tcpdump -p -i em0 -l -n -s 0 -xx "icmp and dst host 4.2.2.1" > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes > 09:45:22.725137 IP 192.168.1.51 > 4.2.2.1: ICMP echo request, id 6417, seq 0, > length 64 > 0x0000: e0cb 4ec0 00c4 0030 48d2 22d0 Have you ever seen "e0:cb:4e:c0:00:c4" and "00:30:48:d2:22:d0" ? These are your mac addresses, which -xx shows.
... > And compare this to what you're seeing (look closely at the 2nd line): > > 16:03:08.963292 IP 10.5.49.126 > 10.5.49.65: ICMP echo request, id 30477, seq > 0, length 4076 > 16:03:09.968454 IP 10.5.49.126 > 10.5.49.65: icmp Of course, I saw that. That's why I claim the 2nd outgoing request to be malformed ;-) > ... > > This is why I said I want to see output from -xx and not -x. What I > want to see is the *full packet contents* (IP header, ICMP header, and > any ICMP payload). -x gives everything above link-layer, so IP and ICMP are in my last dump. Thanks, -Harry
signature.asc
Description: OpenPGP digital signature
