I have identified a problem trying to use tcpdump.
The following command works just fine under redhat 5.x, Solaris, IRIX,
etc. but fails under several different installations of redhat 6.0. I
haven't yet had a chance to replicate it under redhat 6.1.
>tcpdump '(icmp == 8 ) or (port sunrpc)'
tcpdump: unknown port 'sunrpc'
I compiled the same version of tcpdump source under both releases of
redhat, and the redhat 5.x version even runs under 6.0, but I get the
same error as above.
There appears to be a getservbyname call that has been taken out, probably
to speed up tcpdump performance.
Meanwhile try putting the port number in numerically (use "111" instead of
"sunrpc"). I suspect that will work ...
Your command works in tcpdump-3.4-17 from Raw Hide. If it still doesn't
work for you, check your /etc/nsswithc.conf setup.