I have identified a problem trying to use tcpdump. The following command works just fine under redhat 5.x, Solaris, IRIX, etc. but fails under several different installations of redhat 6.0. I haven't yet had a chance to replicate it under redhat 6.1. >tcpdump '(icmp[0] == 8 ) or (port sunrpc)' tcpdump: unknown port 'sunrpc' I compiled the same version of tcpdump source under both releases of redhat, and the redhat 5.x version even runs under 6.0, but I get the same error as above.
There appears to be a getservbyname call that has been taken out, probably to speed up tcpdump performance. Meanwhile try putting the port number in numerically (use "111" instead of "sunrpc"). I suspect that will work ...
Your command works in tcpdump-3.4-17 from Raw Hide. If it still doesn't work for you, check your /etc/nsswithc.conf setup.