Ethereal-users: Re: [ethereal-users] Capture Filter Questions
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 23 Aug 2000 11:22:15 -0700 (PDT)
> I appreciate the information, thanks. A couple of questions though, is " > ether[14:2] == 0xffff" what I would put into the ethereal capture filter > string box? Yes. You put into that box the exact same filter string that you'd give to tcpdump (because, assuming your tcpdump is linked with the same libpcap library that Ethereal is, the exact same code is handling both filter strings). > Where do the values inside the brackets come from [14:2]? Quoting the tcpdump man page: expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet. For example, `ether[0] & 1 != 0' catches all mul- ticast traffic. The expression `ip[0] & 0xf != 5' catches all IP packets with options. The expres- sion `ip[6:2] & 0x1fff = 0' catches only unfrag- mented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment. So "14" is an offset relative to the beginning of the Ethernet header, and "2" is the length of the field being checked. The Ethernet header is 14 bytes, so this tests the first two bytes *after* the Ethernet header. *If* the packet is an IEEE 802.3 packet (where the last two bytes of the Ethernet header are a length field) rather than a Digital-Intel-Xerox Ethernet packet (where the last two bytes of the Ethernet header are a packet type), the Ethernet header is, in theory, followed by an IEEE 802.2 LLC header, the first two bytes of which are a Destination Service Access Point and a Source Service Access Point, which are sort of like packet types. However, Netware appears to have invented their own scheme, perhaps before the IEEE 802.2 standard came out, wherein right after the 14-byte IEEE 802.3 header comes an IPX header, which begins with 0xFFFF. So this particular expression is checking for the Netware-atop-raw-802.3 encapsulation, rather than Netware-atop-802.2 encapsulation. That expression should also probably be checking for ether[12:2] <= 1500 so check whether the last 2 bytes of the Ethernet header are an IEEE 802.3 length field rather than a Digital-Intel-Xerox Ethernet type field (both 802.3 and Digital-Intel-Xerox packets can be put on the same Ethernet segment). Don Provan of Novell once wrote a somewhat exasperated essay explaining this mess (he was definitely in the "so what was wrong with Good Old Digital-Intel-Xerox Ethernet, anyway?" camp). That essay can be found in the middle of a Novell Netware FAQ at http://www.seflin.org/compinfo/novell.html (search for "metaphorically speaking", as his essay starts with: I'm often stopped on the street, metaphorically speaking, and asked, "Hey, Don, what *is* it with these Ethernet frame types." I've determined that the inquisitor generally wants the answer to one of four questions, which i list here in rough order of increasing inflamedness: 1. Physically, what do the four Ethernet frame types look like? 2. Politically, where do the four Ethernet frame types come from? (Or, put more simply, "Why are there four?") 3. If Ethernet_802.3 is so Yucky, should I stop using it? 4. Which Ethernet frame type should I use for IPX?) > If he value > 0xffff will pick up IPX packets, what would the value be for NCP packets? NCP isn't a protocol that runs as the same layer as IPX, it's a protocol that runs *atop* IPX, so, to pick up NCP packets, you don't use a different value there - you use that value first, and, then, for packets that *do* have that value, you then check the fields in the IPX header to see whether the IPX packet in question contains an NCP packet or not. I'll let Gilbert answer that one, as he's more likely to know the right answer off the top of his head.
- References:
- Re: [ethereal-users] Capture Filter Questions
- From: Michael . Thorp
- Re: [ethereal-users] Capture Filter Questions
- Prev by Date: Re: [ethereal-users] Capture Filter Questions
- Next by Date: Re: [ethereal-users] Capture Filter Questions
- Previous by thread: Re: [ethereal-users] Capture Filter Questions
- Next by thread: Re: [ethereal-users] Capture Filter Questions
- Index(es):