The first 16 bits in a tcp header, (rfc793), are for the source port, right? The next 16 are for the destination port. When I run tcpdump -xx I can recognise MAC addresses of boxes on my system. Does this mean that the "ports" are MAC addresses?
Asked
Active
Viewed 1,581 times
1 Answers
3
No, they aren't.
Regardless of its name, tcpdump captures packets at the lowest possible level – it doesn't limit itself to just TCP.
When you use -xx, tcpdump outputs the link layer header of all packets, so the first 4 bytes of the output aren't TCP – they are part of the Ethernet frame.
Even with plain -x, tcpdump would print the IP header before TCP/UDP.
If you want to see the packet structure, use Wireshark instead – it will display every packet as a tree, and highlight the specific bytes for every value.
u1686_grawity
- 452,512
-
Great! So it looks like I was using the wrong options and was getting the link layer include. – jayeola Oct 31 '12 at 17:24
-xxdoing?, I only see-xand-Xin the man page for tcpdump. The only switches I see that support multiple copies arev,t,n, andd– Scott Chamberlain Oct 31 '12 at 17:16tcpdumpare you using? 4.3.0 has-xx. – u1686_grawity Oct 31 '12 at 17:19