I'm trying to add a filter to a tcpdump stream.
The expression I'm trying to run is:
tcpdump -i eth0 -U -w - host 192.168.2.29 and (port 22222 or port 22221 or port 80)
This particular format throws:
bash: syntax error near unexpected token '('
I expected this to work based on THIS.
The following work without throwing an error:
a) tcpdump -i eth0 -U -w - host 192.168.2.29
b) tcpdump -i eth0 -U -w - port 22222
I've tried every permutation of association all throwing the same error.
Summarizing the comments for an answer:
The easiest way to deal with the tcpdump expression is to put it all in quotes, because otherwise the shell gets in the way anytime there are special characters. Parentheses are the most common troublesome metacharacters, but many others get to play as well: [ ] & and others, and anytime you refine your expression you have to check that you didn't add something dangerous.
So quotes are the easy way:
tcpdump -i eth0 -U -w - 'host 192.168.2.29 and (port 22222 or port 22221 or port 80)'
But escaping the metacharacters works too and is directly responsive to the OP's question:
tcpdump -i eth0 -U -w - host 192.168.2.29 and \(port 22222 or port 22221 or port 80\)
Personally, I prefer the quotes.