Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Questions about tcpdump

    I'm a newbie in the packet sniffing tool tcpdump. I've installed tcpdump v3.9.8 on my machine and let it listen to an interface called \Device\PssdkLoopback on my machine. It dumps all the packet information that it sniffs from that interface, however, I have the following questions:

    1) The filter option "host <hostname>" does not seem to work. I mean, the DNS name of my machine is (which is shown when I run tcpdump without the host option), but when I run the command "tcpdump host" , it does not dump any packets.

    2) With the -e option (ethernet), it shows incoming frames to the MAC address 4c:4f:43:41:4c:20, whereas the MAC address of the Ethernet LAN adapter of my machine, as shown by the command "ipconfig -all", is 00-13-72-78-C5-12. Could you please explain the reason of this apparent discrepancy?

    Can anyone shed some light?

  2. #2
    the option host <hostname> work if you have A record for host.
    running without option host, you will view PTR record for host.

  3. #3
    Hi Diel,
    Thanks for your reply.
    If the host <hostname> option works only for packets containing the A record, then do you mean, it will work only for the packets returned from the DNS name servers, that reply with the IP address, when queried with a hostname? But then, in most cases, the IP addresses corresponding to the most common hostnames/URLs are already cached in the local name servers, so we won't find any packets with A records, right?

    In fact, I saw "tcpdump host" giving results when (the DNS server) is queried, and the reply is an A record.

    But then what about other packets then...that are not received from the DNS servers, but regular web servers? Is there a way to filter them?


  4. $spacer_open
  5. #4
    Hi Bibudh,
    the <host> option don't work only for packets contain A record.
    tcpdump use A record to resolve IP addres on the host, and then listen for all package who contain that IP address, if you don't use any other filters.
    If you run tcpdump without host option, program resolve the PTR record from DNS for IP addresses who you capture.

    where is example:

    router:~# host -t A has address has address
    router:~# host -t PTR domain name pointer
    router:~# host -t PTR domain name pointer
    in fact if you run "tcpdump host" and open Yahoo! in console will see response from

    You can filter any package witch tcpdump:

    www traffic witch - tcpdump host and port 80
    www fraffic incoming from - tcpdump src host and src port 80
    ssh traffic - tcpdump port 22


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts