tcpdump errors on FreeBSD for mk-query-digest

While I use this tcpdump command for MySQL query analysis with mk-query-digest, I found recently that it didn’t work on FreeBSD

$ tcpdump -i bge0 port 3306 -s 65535 -x -n -q -tttt -c 5
tcpdump: syntax error

It left me perplexed and reading the man page seemed to indicate my options were valid. I tried a few variances just to be sure without success.

$ tcpdump -i bge0 -c 5 port 3306 -x
tcpdump: syntax error
$ tcpdump -i bge0 -c 5 port 3306 -q
tcpdump: syntax error
$ tcpdump -i bge0 -c 5 port 3306 -tttt
tcpdump: syntax error

The solution was actually quite simple in the end, it had nothing to do with the commands, it had everything to do with the order of them. Placing port as the last option solved the problem.

$ tcpdump -i bge0 -s 65535 -x -n -q -tttt -c 5  port 3306
$ uname -a
FreeBSD db4.example.com 6.3-RELEASE-p3 FreeBSD 6.3-RELEASE-p3 #0: Wed Jul 16 05:13:50 EDT 200

Comments

  1. doni says

    There’s no error, if you read the man page of tcpdump you’ll see that the correct syntax is:

    tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
    [ -C file_size ] [ -F file ]
    [ -i interface ] [ -m module ] [ -r file ]
    [ -s snaplen ] [ -T type ] [ -w file ]
    [ -E algo:secret ] [ expression ]

    I.e. the expression must be at the end of the command. That’s valid for OSX too.

  2. says

    You can check queries using :

    > tcpdump -i interface -s 0 -l -w – dst port 3306 and host a.b.c.d | strings

    This will show you all commands.