[hipl-users] Re: Re : Re: tcpdump hip

  • From: Samu Varjonen <samu.varjonen@xxxxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Thu, 03 Jul 2008 00:24:34 +0300

Hi,
Sorry did not notice that first ESP has to be printed. Someone correct me if I make a mistake in the following.
Tcpdump filtering is done per packet basis. Without knowledge what has been seen and what comes next. With some scripting one can filter out extra ESPs from dump files but in live capture with tcpdump this is not possible (? not 100%).
Personally I might try to write a small c program using pcap to implement more complex filtering possibilities like print every proto with 139 and add R2s address to list of ESP packets to follow and when one is seen remove addr from list. 

BR
SAMU
PS Feel free to correct this, its just a gut feeling so it might be little of :) 

Jack Alphonse kirjoitti:

Hi,
Thanks but with this I can't show the first ESP packet. And as I said, I want to show just the first one. 
So still the problem exists.
--- En date de : *Mer 2.7.08, Samu Varjonen /<samu.varjonen@xxxxxxxxxxx>/* a écrit : 

    De: Samu Varjonen <samu.varjonen@xxxxxxxxxxx>
    Objet: [hipl-users] Re: tcpdump hip
    À: hipl-users@xxxxxxxxxxxxx
    Date: Mercredi 2 Juillet 2008, 16h54

    Hi,

    sudo tcpdump -i any -n proto 139 or port 50500
This dumps HIP control messages and UDP encapsulated HIP control packets coming to port 50500 

    Jack Alphonse kirjoitti:
    > Hello friends,
> > I need some help please.. 
    > I want to use TCPdump with HIP but wanna just show the I1,I2,R1,R2 et
> first package ESP of an association; I mean whenever a HIP association > is established, I wanna show only those packets, because there are too > many other ESP packets that appear and the CLOSE packets. > > Any idea please? 
    > thanks in advance
> > > ------------------------------------------------------------------------ > Envoyé avec Yahoo! Mail > 
    
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
    > Une boite mail plus intelligente.
-- BR, 
    Samu

    "Programmer is an organism that changes caffeine into code"


------------------------------------------------------------------------
Envoyé avec Yahoo! Mail <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. 
Une boite mail plus intelligente.



--
BR,
Samu

"Programmer is an organism that changes caffeine into code"

Other related posts:

  1. Home
  2. hipl-users
  3. Archive
  4. 07-2008