Wireshark · Ethereal-users: Re: [Ethereal-users] Sniffer Pro vs Ethereal

Ethereal-users: Re: [Ethereal-users] Sniffer Pro vs Ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 3 Sep 2001 14:41:38 -0700

On Mon, Sep 03, 2001 at 12:46:19PM +0800, Visser, Martin (SNO) wrote:
> Unfortunately Ethereal can't quite do this either. So, please write the code
> to do this!(it has been noted more than once on the development list that
> this feature is needed.)

Are you talking about capture filters or display filters?

For capture filters, there's no convenient syntax offered by libpcap at
present, but you can do something such as

	ip[12:4] & 0xffffff00 == 0x0a0a0a00

to check for source addresses in 10.10.10.0/24, and something such as

	ip[16:4] & 0xffffff00 == 0x0a0a0a00

to check for destination addresses in 10.10.10.0/24, so to test for
packets either coming from or going to that network, do

(ip[12:4] & 0xffffff00 == 0x0a0a0a00) || (ip[16:4] & 0xffffff00 == 0x0a0a0a00)

For display filters, we now support CIDR-style addresses in filters, so

	ip.addr == 10.1.2.0/24

should match packets coming from or going to the 10.1.2.0/24 network.

Follow-Ups:
- Re: [Ethereal-users] Sniffer Pro vs Ethereal
  - From: Guy Harris

References:
- RE: [Ethereal-users] Sniffer Pro vs Ethereal
  - From: Visser, Martin (SNO)

Prev by Date: Re: [Ethereal-users] change location of preferences dir '.etherea l' on W2K
Next by Date: Re: [Ethereal-users] Sniffer Pro vs Ethereal
Previous by thread: RE: [Ethereal-users] Sniffer Pro vs Ethereal
Next by thread: Re: [Ethereal-users] Sniffer Pro vs Ethereal
Index(es):
- Date
- Thread