Is it possible to change the position of [expression] part in tcpdump?

Question

Is it possible to change the position of [expression] part in tcpdump ?

eg: tcpdump -i eth0 ip6 -w capture.pcap.

According to the syntax ip6 should be at the end but is it possible this way or any other way without ending up as syntax error.

If yes how and if no why ??

May I get any help on this?

tcpdump syntax: tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]

[ -C file_size ] [ -F file ]

[ -i interface ] [ -m module ] [ -r file ]

[ -s snaplen ] [ -T type ] [ -U user ] [ -w file ]

[ -E algo:secret ] [ expression ]

I am taking a wild guess now: You want to create an alias like `tcpd6` which includes all your options and listens only for IPv6 traffic, but you want to be able to add an expression after the alias. If this is the case, I suggest your create a shell function (if under Unix/Linux) instead of an alias. And since this question is not about programming, I suggest asking something like this on [unix.se](https://unix.stackexchange.com/) or [superuser.com](https://superuser.com) where it would be on topic. — Dubu, Jan 16 '16 at 17:46

score 0 · Accepted Answer · answered Jan 14 '16 at 20:37

Is it possible to change the position of [expression] part in tcpdump ?

No.

If yes how and if no why ??

Because the UN*X command line syntax standard puts "flag" options - options beginning with a -, possibly with an argument to the flag option - before non-flag options, such as the capture filter expression.

According to the syntax ip6 should be at the end

Then put it there:

tcpdump -i eth0 -w capture.pcap ip6

Is it possible to change the position of [expression] part in tcpdump?

1 Answers1