Bjorn Townsend wrote:
I'm pretty sure that Ethereal will assume TCP unless otherwise
specified, so you need to instead use "host 192.168.4.1 and udp port
53" as your capture rule.
No - to quote the tcpdump man page:
dst port port
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp
and has a destination port value of port. The port can
be a number or a name used in /etc/services (see tcp(4P)
and udp(4P)). If a name is used, both the port number
and protocol are checked. If a number or ambiguous name
is used, only the port number is checked (e.g., dst port
513 will print both tcp/login traffic and udp/who traf-
fic, and port domain will print both tcp/domain and
udp/domain traffic).
src port port
True if the packet has a source port value of port.
port port
True if either the source or destination port of the
packet is port. Any of the above port expressions can be
prepended with the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.
"port XXX" matches TCP or UDP port XXX; you have to qualify it with
"tcp" or "udp" to match only the TCP port or only the UDP port.
