Ethereal-dev: [Ethereal-dev] Re: Colorfilter expressions matching incorrectly

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 11 Apr 2005 05:43:12 -0400
tcp test for  "does it exist a field in this capture that has the name tcp".

This fiels is used for the expansion/protocol for tcp.


Expand the ICMP packets and looks to the payload that is dissected.
It does contain the TCP protocol.

So  the filter works. One would argue that if this filter did NOT show
this packet, then the filtering would be completely broken since the
packet DOES contain the TCP protocol.
Many popular "other" "network analysis" tools have filtering languages
that are broken in exactly this regard.
(see their stupid complex examples to     find something as simple as
'all NFS packets' and conditional filters and all crap the invent to
make the filtering actually almsot work)


Functions as designed.

If your other sniffer does not filter in the same way, report it as a
bug to the vendor.



On Mon, 11 Apr 2005 11:33:27 +0200, Radek Vokal <rvokal@xxxxxxxxxx> wrote:
> On Mon, 2005-04-11 at 11:14 +0200, Francisco Alcoba (TS/EEM) wrote:
> > Hi,
> > 
> > > Seems like the filters are broken. See the attached file for a sample
> > > capture. When you add filter "ip.src==24.14.184.105 && tcp" 
> > > only packets
> > > 2 and 5 should be displayed but I also see packets 3 and 6 which has
> > > different source adress and aren't tcp! 
> > 
> > ip.src==24.14.184.105 means, for ethereal, "in this packet there is a 
> > source field inside an IP header that equals 24.14.184.105"; it does not
> > mean "the first IP header in this packet has a source field that equals
> > 24.14.184.105". In your capture packets 3 and 6 are ICMP, and the ICMP
> > payload includes IP headers with those values.
> > 
> 
> Ok, thanks for explaining me this. 
> 
> > As a practical tip, "ip.src==24.14.184.105 && tcp &&!icmp" should give
> > the results you are looking for.
> 
> Hmm, I'm bit confused with the behavior. Shouldn't the second param
> &&tcp show ONLY tcp packets? 
> 
> > 
> > Regards,
> > 
> >   Francisco
> > 
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> -- 
> Radek Vokál     <rvokal@xxxxxxxxxx> 
> OS Systems Engineer
>         IT executives rate Red Hat #1 for value
>         http://www.redhat.com/promo/vendor/index.html
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>