On Wed, 23 Feb 2005, Jesse Guardiani wrote:
tcpdump 'not ( host shannon and port 22 ) and not host 192.168.1.193 and not port syslog and not port domain and not snmp and not port 3632'
And here's the only thing I could find that looked relevent:
04:22:30.959889 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 04:22:30.961323 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 04:22:32.791481 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 04:22:35.790420 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 04:22:40.954870 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 04:22:40.956378 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 04:22:41.790316 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 04:22:51.932636 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 04:22:51.934544 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
192.168.10.1 is my Cisco router's LAN address. Does the above mean anything to anyone?
Yes.
The UDP packets is the WCCP control channel
The gre 0x883e is the WCCP redirected packets.
You may need "-i any" argument to tcpdump to see the complete picture however.
Regards Henrik
