Understanding Tcpdump's -d Option
Have you ever used Tcpdump 's -d option? The man page says: -d Dump the compiled packet-matching code in a human readable form to standard output and stop. I've never used that option before, but I just saw a Tcpdump developer use it to confirm a Berkeley packet filter in this thread . The user in the thread is trying to see TCP or UDP packets with a source address of "centernet.jhuccp.org" (162.129.225.192). First he specifies an incorrect BPF filter, which the developer then corrects . This is mildly interesting, but the useful information on the -d option appears in this post . Tcpdump developer Guy Harris interprets output from the -d option: > www:~# tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp > or \\udp \) > (000) ldh [12] > (001) jeq #0x800 jt 2 jf 8 > (002) ld [26] > (003) jeq #0xa281e1c0 jt 4 jf 8 > (004) ldb [23] > (005) jeq #0x6 jt 7 ...