Ethereal-users: Re: [ethereal-users] Capture Filter Questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gilbert_Ramirez@xxxxxxxxxx
Date: Wed, 23 Aug 2000 10:51:14 -0500

Yes, ether[14:2] == 0xffff would be the capture filter string.

14 means the 14th byte from the start of the ethernet header, the :2 means two
bytes.
So, you're filtering on bytes 15 and 16 (the offset starts at 0) after the start
of the Ethernet header.

It so happens that for ETHERNET_802_3 a value of 0xffff at these two bytes means
"IPX".

For a good book on IPX, read:

        NetWare LAN Analysis, Second Edition
        Laura A. Chappell and Dan E. Hakes
        (c) 1994 Novell, Inc.
        Novell Press, San Jose.
        ISBN: 0-7821-1362-1

Using this mechanism for filtering NCP packets is more difficult because IPX
designates NCP packets
in two ways, with either the packet type or the socket (ipx.packet_type and
ipx.socket in Ethereal's
display filter language).

--gilbert

Michael.Thorp@xxxxxxxxxxxx on 08/23/2000 10:47:04 AM

To:   Gilbert Ramirez/Tivoli Systems@Tivoli Systems
cc:   ethereal-users@xxxxxxxx
Subject:  Re: [ethereal-users] Capture Filter Questions






I appreciate the information, thanks.  A couple of questions though, is "
ether[14:2] == 0xffff" what I would put into the ethereal capture filter string
box?  Where do the values inside the brackets come from [14:2]?  If he value
0xffff will pick up IPX packets, what would the value be for NCP packets?

Thanks again.  I'm still learning this stuff about packet analysis.

Mike









Gilbert_Ramirez@xxxxxxxxxx on 08/23/2000 11:10:05 AM








 To:      Michael Thorp/NOTES@AIBUS

 cc:      ethereal-users@xxxxxxxx



 Subject: Re: [ethereal-users] Capture Filter Questions











libpcap, which is the packet capture library that both tcpdump and Ethereal use,
was not built with IPX in mind.
It has no facility for directly filtering on IPX or NCP packets.. What you can
do, however, on a portion of the protocol
underneath IPX. Depending on what your IPX packets are encapsulated in
(ETHERNET_II, ETHERNET_802_2,
ETHERNET_802_3, or ETHERNET_SNAP), your filter will be different. But it will
something like:

tcpdump ether[14:2] == 0xffff

(for ETHERNET_802_3)

--gilbert

Michael.Thorp@xxxxxxxxxxxx on 08/23/2000 09:20:45 AM

To:   ethereal-users@xxxxxxxx
cc:    (bcc: Gilbert Ramirez/Tivoli Systems)
Subject:  [ethereal-users] Capture Filter Questions






I am running ethereal on an ethernet segment attached to a NetWare network.  The
network runs both TCP/IP and IPX/SPX.  When I do a capture of all network
traffic, I see IPX packets, NCP packets, LLC packets, ARP packets, SAP packets,
etc.  I've looked through the TCPdump documentation, but have not been able to
figure out how to write a capture filter for just NCP packets or IPX packets.
I've been able to capture packets to and from various IP addresses, but the
syntax in the TCPdump man page is not intuitive for much else.   What would be
the syntax for a capture filter for IPX?

 Thanks in advance for the help.