Ethereal-dev: RE: [Fwd: Re: [Ethereal-dev] Filter expressions for exclusion]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
From: "Esh, Andrew" <AEsh@xxxxxxxxxxx>
Date: Wed, 1 Jan 2003 08:29:47 -0600
Title: RE: [Fwd: Re: [Ethereal-dev] Filter expressions for exclusion]

While what you say is technically true, it does not address John McDermott's point. He used HTTP as an example, probably because it was easy for everyone to understand, but the real issue is the port number. The point is that port number filtering is counterintuitive. There are probably examples of other ports, and of other fields.

I have a question about "!http". If the rule is: "Referring to a protocol implies that the packets match that protocol before they are tested.", then "!http" would always filter out ALL packets. If they aren't HTTP, they get filtered out because "http" is undefined. If they are HTTP they are tested, and filtered out because of the NOT operator. Is that really the case, or is there another special case for the http field? What other fields work this way, and what other fields work the tcp.port way? (I don't need a listing, I just need the question considered.)

-----Original Message-----
From: Guy Harris [mailto:gharris@xxxxxxxxx]
Sent: Tuesday, December 31, 2002 5:43 PM
To: jjm@xxxxxxxxxx
Cc: Ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Fwd: Re: [Ethereal-dev] Filter expressions for exclusion]


John McDermott said:
> OK.  So this got me to thinking.  How do I write "I want to see all
> packets except HTTP packets".  The answer is '!tcp.port == 80'.

Actually, the answer is "!http" - there is no guarantee that HTTP traffic
appears only on port 80, and Ethereal also supports some other ports as
HTTP ports, e.g. 8080 (common alternate HTTP port), 3128 (common HTTP
proxy port), 3132 (HTTP proxy admin port, at least for proxies made by a
certain manufacturer of, well, network appliances), both TCP *and* UDP
ports 1900 (for the Simple Service Discovery Protocol, which I think is
part of Microsoft's UPnP, and that runs atop HTTP), and TCP port 631 (for
the Internet Printing Protocol, which also runs atop HTTP).


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev