Here is a small display filter manual page update that tries to
clarify how to remove noise from the packet trace display.
Index: ethereal.pod.template
===================================================================
RCS file: /cvsroot/ethereal/doc/ethereal.pod.template,v
retrieving revision 1.298
diff -u -r1.298 ethereal.pod.template
--- ethereal.pod.template 2002/05/21 21:55:47 1.298
+++ ethereal.pod.template 2002/05/26 20:42:18
@@ -1106,7 +1106,7 @@
ip.addr ne 192.168.4.1
not ip.addr eq 192.168.4.1
-The first filter says "show me all packets where an ip.addr exists that
+The first filter says "show me IP packets where an ip.addr exists that
does not equal 192.168.4.1". That is, as long as one ip.addr in the
packet does not equal 192.168.44.1, the packet passes the display
filter. The second filter "don't show me any packets that have at least
@@ -1120,6 +1120,25 @@
not equal 192.168.4.1".
Be careful with multiply-recurring fields; they can be confusing.
+
+Care must also be taken when using the display filter to remove noise
+from the packet trace. If you want to e.g. filter out all IP multicast
+packets to address 224.1.2.3, then using:
+
+ ip.dst ne 224.1.2.3
+
+may be too restrictive. Filtering with "ip.dst" selects only those
+B<IP> packets that satisfy the rule. Any other packets, including all
+non-IP packets, will not displayed. For displaying also the non-IP
+packets, you can use one of the following two expressions:
+
+ not ip or ip.dst ne 224.1.2.3
+ not ip.addr eq 224.1.2.3
+
+The first filter uses "not ip" to include all non-IP packets and then
+lets "ip.dst ne 224.1.2.3" to filter out the unwanted IP packets. The
+second filter has already been explained above where filtering with
+multiply occuring fields was discussed.
The following is a table of protocol and protocol fields that are
filterable in B<Ethereal>. The abbreviation of the protocol or field is
--
Heikki Vatiainen * hessu@xxxxxxxxx
Tampere University of Technology * Tampere, Finland