tcpdump -n prints numerical IP addresses, but the name of the port.
From man tcpdump:
-n Don't convert addresses (i.e., host addresses, port
numbers, etc.) to names.
tcpdump -n sample:
15:13:03.018987 eth0 < 220.127.116.11.www > 18.104.22.168.1988: P
2996:3072(76) ack 1 win 17520 (DF)
instead of 80, www is printed. I have seen this behavior in 6.1 and in
6.2beta, maybe it exists in previous versions too. Is this intentional?
Yes. In order to avoid unnecessary network lookup traffic (the underlying
reason for adding -n), ANK's tcpdump looks up common values for portnames
internally. Possibly the behavior of -n should be preserved even in the internal
lookup in order to produce similar output as before, but that can be achieved
with a shell wrapper if absolutely necessary.
FIxed (by updating man page) in tcpdump-3.4-22.
This breaks nstreams (ftp://cvs.nessus.org/pub/nstreams/) a tcpdump file
parser that requires that -n actually work. I understand the "spirit" of -n
in reducing traffic, but personally, I'd rather something work one way, or the
other, but not mixed -- as is the present case with -n.
I'd STRONGLY prefer that -n work correctly, but absent that you mention a
shell wrapper -- can you elaborate on that? I understand what you mean, but
have no idea how to implement it.
BTW, the reason I want to use tcpdump -n rather than the built-in nstreams
capture is to capture ALL the RAW data. I can then use nstreams and/or other
tools to analyze the data. If I capture with nstreams, well...
I also installed tcpdump-3.4-29.i386.rpm (my system is RH6.2) in an attempt to
get a fix. Needless to say, it did not work, but I also did not see any
changes in the man page, per "FIxed (by updating man page) in tcpdump-3.4-22."
tcpdump -nn does it's job without printing port names ..