1

Can anybody tell me what kind of error I have in this? It isn't reading any packets when I run it.

nohup sudo tcpdump -i any host 10.0.1.107 and port 5060 and port 6060 -G 010 -W 015 -w capture_%Y-%m-%d_%H:%M:%S.pcap -z gzip </dev/null >nohup.out 2>&1 &

Thanks

Matt
  • 15

2 Answers2

3

The error is here:

and port 5060 and port 6060

If port is 5060, port cannot be 6060, and viceversa, so the condition you entered will always be false. You probable want to use or instead.

nKn
  • 5,657
  • Thanks, sorry I'm new to this. So then should this work? nohup sudo tcpdump -i any -n host 10.0.1.107 and (port 5060 or port 6060) -G 010 -W 015 -w capture_%Y-%m-%d_%H:%M:%S.pcap -z gzip </dev/null >nohup.out 2>&1 & – Matt May 24 '16 at 19:21
  • You will probably find some issues using parenthesis barely on bash, you will probably want to wrap the expression in simple quotes: tcpdump ... '... (port 5060 or port 6060) ...' – nKn May 24 '16 at 19:23
  • No, port 5060 and port 6060 can be true - but only for packets going to port 6060 from port 5060 or going to port 5060 from port 6060. –  May 24 '16 at 23:48
0

port 5060 and port 6060 is true only if one of the ports in the packet is 5060 and the other port is 6060, so it won't capture all packets to or from port 5060 or all packets to or from port 6060.

If you want all packets from or to port 5060 or from or to port 6060, you want port 5060 or port 6060, i.e. host 10.0.1.107 and (port 5060 or port 6060), in quotes.