I appreciate the information, thanks. A couple of questions though, is "
ether[14:2] == 0xffff" what I would put into the ethereal capture filter string
box? Where do the values inside the brackets come from [14:2]? If he value
0xffff will pick up IPX packets, what would the value be for NCP packets?
Thanks again. I'm still learning this stuff about packet analysis.
Mike
Gilbert_Ramirez@xxxxxxxxxx on 08/23/2000 11:10:05 AM
To: Michael Thorp/NOTES@AIBUS
cc: ethereal-users@xxxxxxxx
Subject: Re: [ethereal-users] Capture Filter Questions
libpcap, which is the packet capture library that both tcpdump and Ethereal use,
was not built with IPX in mind.
It has no facility for directly filtering on IPX or NCP packets.. What you can
do, however, on a portion of the protocol
underneath IPX. Depending on what your IPX packets are encapsulated in
(ETHERNET_II, ETHERNET_802_2,
ETHERNET_802_3, or ETHERNET_SNAP), your filter will be different. But it will
something like:
tcpdump ether[14:2] == 0xffff
(for ETHERNET_802_3)
--gilbert
Michael.Thorp@xxxxxxxxxxxx on 08/23/2000 09:20:45 AM
To: ethereal-users@xxxxxxxx
cc: (bcc: Gilbert Ramirez/Tivoli Systems)
Subject: [ethereal-users] Capture Filter Questions
I am running ethereal on an ethernet segment attached to a NetWare network. The
network runs both TCP/IP and IPX/SPX. When I do a capture of all network
traffic, I see IPX packets, NCP packets, LLC packets, ARP packets, SAP packets,
etc. I've looked through the TCPdump documentation, but have not been able to
figure out how to write a capture filter for just NCP packets or IPX packets.
I've been able to capture packets to and from various IP addresses, but the
syntax in the TCPdump man page is not intuitive for much else. What would be
the syntax for a capture filter for IPX?
Thanks in advance for the help.