Wireshark · Ethereal-users: Re: [ethereal-users] Cannot create Filters for STP packets

Ethereal-users: Re: [ethereal-users] Cannot create Filters for STP packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 27 Jul 2000 18:24:31 -0700 (PDT)

> I am starting to use Ethereal on NT and does capture very good
> information.
> However, I am not able to create Filters. Is anyone else having the same
> problem?

Capture filters?

The syntax for capture filters is that of tcpdump, rather than (a subset
of) the Ethereal display filter syntax; see FAQ 3.1:

	http://ethereal.zing.org/faq.html#q3.1

The tcpdump syntax can be found in the tcpdump man page; if you don't
have tcpdump on your system, the Web site for WinDump (a port of tcpdump
to Win32 systems, using the WinPcap library that Ethereal also uses) has
the WinDump man page, derived from the tcpdump man page (and describing
a couple of additional flags added by WinDump):

	http://netgroup-serv.polito.it/windump/docs/manual.htm

Look for the section that comes right after the description of the "-B"
and "-D" flags in "WinDump specific extensions:".

> I am trying to create a Filter not to show STP (Spanning Tree Protocol)
> or even capture the STP packets. How can I avoid capturing the STP
> packets?

STP packets are a bit tricky to filter - they're LLC packets with a SAP
of 0x42.

On Ethernet, LLC packets can be distinguished by Ethernet packets by
checking the length field of the packet - if it's <= the maximum frame
size, it's an LLC packet, otherwise it's an Ethernet packet.

The maximum frame size is 1500 bytes, so the filter should accept only
packets where the length/type field is > 1500.

There is no way to test that field directly, but you can just ask for
bytes 12 and 13 (zero-origin) of the Ethernet header:

	ether[12:2] > 1500

That'd select Ethernet II packets; if you also want 802.2 LLC packets
other than STP packets, it's a bit more complicated, as you have to
check the SAP as well.

	ether[12:2] > 1500 || ether[14:1] != 0x42

should, I think, do the job (I couldn't test it too well here directly,
but the negation of it seemed to capture *only* STP packets here). 
"ether[14:1]" checks the byte at an offset of 14 relative to the
beginning of the Ethernet header, which is the first byte *after* the
Ethernet header; on packets where the length/type field in the Ethernet
header (2 bytes starting at an offset of 12 from the beginning of the
Ethernet header is less than or equal to 1500, i.e. 802.2 LLC packets,
that byte is the destination SAP in the LLC header).

For FDDI, *all* data packets are LLC, so

	fddi[13:1] != 0x42

should, I think, be sufficient.

References:
- [ethereal-users] Cannot create Filters for STP packets
  - From: Oscar Rau

Prev by Date: RE: [ethereal-users] I can only capture my TCP packets:
Next by Date: Re: [ethereal-users] I can only capture my TCP packets:
Previous by thread: [ethereal-users] Cannot create Filters for STP packets
Next by thread: [ethereal-users] I can only capture my TCP packets:
Index(es):
- Date
- Thread