tcpdump -n prints numerical IP addresses, but the name of the port. From man tcpdump: -n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. tcpdump -n sample: 15:13:03.018987 eth0 < 207.25.253.24.www > 195.134.67.52.1988: P 2996:3072(76) ack 1 win 17520 (DF) instead of 80, www is printed. I have seen this behavior in 6.1 and in 6.2beta, maybe it exists in previous versions too. Is this intentional?
Yes. In order to avoid unnecessary network lookup traffic (the underlying reason for adding -n), ANK's tcpdump looks up common values for portnames internally. Possibly the behavior of -n should be preserved even in the internal lookup in order to produce similar output as before, but that can be achieved with a shell wrapper if absolutely necessary.
FIxed (by updating man page) in tcpdump-3.4-22.
This breaks nstreams (ftp://cvs.nessus.org/pub/nstreams/) a tcpdump file parser that requires that -n actually work. I understand the "spirit" of -n in reducing traffic, but personally, I'd rather something work one way, or the other, but not mixed -- as is the present case with -n. I'd STRONGLY prefer that -n work correctly, but absent that you mention a shell wrapper -- can you elaborate on that? I understand what you mean, but have no idea how to implement it. BTW, the reason I want to use tcpdump -n rather than the built-in nstreams capture is to capture ALL the RAW data. I can then use nstreams and/or other tools to analyze the data. If I capture with nstreams, well... I also installed tcpdump-3.4-29.i386.rpm (my system is RH6.2) in an attempt to get a fix. Needless to say, it did not work, but I also did not see any changes in the man page, per "FIxed (by updating man page) in tcpdump-3.4-22."
tcpdump -nn does it's job without printing port names ..