Problem parsing tcpdump tcp[13] output

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I wrote a little script to log the network traffic on a firewall and I
used the tcpdump command.
The script works very well when the command is a classic tcpdump one
like "tcpdump -vvni eth0 host and port 21" but as soon as
I use this command "tcpdump -vvni eth0 tcp[13] == 18" to log only SYN
ACK packets it doesn't work.

Here is the beginning of my script:


$command = 'tcpdump -vvni eth0 tcp[13] == 18'
($pid = open(PIPE,"$command |")) or die "Error: $!\n";
(kill 0, $pid) or die "tcpdump failed\n";
while (defined($line = <PIPE>))
     print $line;

It doesn't print anything although tcpdump catured packets.
if I set the $command to 'tcpdump -vvni eth0', it works fine.
I supposed that the problem comes from the [] that I use in the

Could anyone help me about that?


Re: Problem parsing tcpdump tcp[13] output (Romain) writes:

> $command = 'tcpdump -vvni eth0 tcp[13] == 18'

There are a couple of things wrong here (aside from the fact that
the code you posted doesn't run, as Tad already pointed out).  You
can discover one problem by executing "touch tcp1" and then running
the script without changing directories.  That you haven't already
hit this bug is luck.

You can find the second problem by running the tcpdump command from
the shell prompt and make a connection that tcpdump should show,
then run the same test again but pipe tcpdump's output into cat.
If you see a difference in behavior then read the tcpdump manual
page and look for a solution.

Michael Fuhr /

Site Timeline