tcpdump errors on FreeBSD for mk-query-digest

While I use this tcpdump command for MySQL query analysis with mk-query-digest, I found recently that it didn’t work on FreeBSD

$ tcpdump -i bge0 port 3306 -s 65535 -x -n -q -tttt -c 5
tcpdump: syntax error

It left me perplexed and reading the man page seemed to indicate my options were valid. I tried a few variances just to be sure without success.

$ tcpdump -i bge0 -c 5 port 3306 -x
tcpdump: syntax error
$ tcpdump -i bge0 -c 5 port 3306 -q
tcpdump: syntax error
$ tcpdump -i bge0 -c 5 port 3306 -tttt
tcpdump: syntax error

The solution was actually quite simple in the end, it had nothing to do with the commands, it had everything to do with the order of them. Placing port as the last option solved the problem.

$ tcpdump -i bge0 -s 65535 -x -n -q -tttt -c 5  port 3306
$ uname -a
FreeBSD db4.example.com 6.3-RELEASE-p3 FreeBSD 6.3-RELEASE-p3 #0: Wed Jul 16 05:13:50 EDT 200

Tags: , , ,

3 Responses to “tcpdump errors on FreeBSD for mk-query-digest”

  1. doni says:

    There’s no error, if you read the man page of tcpdump you’ll see that the correct syntax is:

    tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
    [ -C file_size ] [ -F file ]
    [ -i interface ] [ -m module ] [ -r file ]
    [ -s snaplen ] [ -T type ] [ -w file ]
    [ -E algo:secret ] [ expression ]

    I.e. the expression must be at the end of the command. That’s valid for OSX too.

  2. Baron says:

    I updated the mk-query-digest docs and sample command to reflect this — thanks.

  3. Shamrock says:

    You can check queries using :

    > tcpdump -i interface -s 0 -l -w – dst port 3306 and host a.b.c.d | strings

    This will show you all commands.