Hello Guy,
thank you very much, that was the best answer ever I got in mailinglists.
Andreas
> -----Ursprüngliche Nachricht-----
> Von: Guy Harris [SMTP:gharris@xxxxxxxxx]
> Gesendet am: Montag, 18. Februar 2002 22:37
> An: Andreas Moroder
> Cc: 'ethereal-users@xxxxxxxxxxxx'
> Betreff: Re: [Ethereal-users] How to filter IPX
>
> On Mon, Feb 18, 2002 at 11:00:02AM +0100, Andreas Moroder wrote:
> > in our Network all machines should be set to use IPX 802.3. Our Fluke tells
> > me that there are machines that send out IPX Ethernet II and IPX 802.2
> > Packets, but it does not tell me who.
> >
> > Can anyone please tell me how I can set the filters to see only machines
> > sending this types of frames ?
>
> First, I'll discuss capture filters, which control what packets Ethereal
> captures, rather than what packets Ethereal displays in a capture that
> you already have.
>
> IPX-over-Ethernet II frames have an Ethernet type/length field value of
> 0x8137 (which is a type value).
>
> IPX-over-802.2 frames have an Ethernet type/length field value that's <=
> 1500 (so it's a length value), and an 802.2 LLC header with a
> destination SAP of 0xE0.
>
> IPX-over-802.3 frames have an Ethernet type/length field value that's <=
> 1500 (so it's a length value), followed by two bytes of 0xFF.
>
> A capture filter expression to capture only IPX-over-Ethernet II packets
> would be
>
> ether proto 0x8137
>
> which would check for an Ethernet type field value of 0x8137.
>
> There's no built-in expression syntax, in the libpcap/WinPcap parser, to
> check for an 802.3 frame ("802.3 frame" meaning "frame with a length
> field rather than a type field", not "IPX-over-802.3 frame" -
> 802.2-over-802.3 frames, as well as IPX-over-802.3 frames, are both
> 802.3 frames), so an expression to check for that would have to be
> constructed as an explicit expression, as per the "expr relop expr"
> portion of the "expression" section of the tcpdump man page.
>
> That would be
>
> ether[12:2] <= 1500
>
> to check whether the Ethernet type/length field is in the range for a
> length rather than a type.
>
> If that test passes, a test for an IPX-over-802.2 frame would test the
> first byte *after* the Ethernet header, i.e.
>
> ether[14:1] = 0xE0
>
> So a capture filter expression that would capture IPX-over-Ethernet II,
> and IPX-over-802.2, but not IPX-over-raw-802.3 frames, would be
>
> ether proto 0x8137 || (ether[12:2] <= 1500 && ether[14:1] = 0xE0)
>
> Now I'll discuss display filters, if you already have a capture that
> includes IPX-over-raw-802.3 packets as well as IPX-over-Ethernet II and
> IPX-over-802.2 packets.
>
> A *display* filter that would match IPX-over-Ethernet II packets and
> IPX-over-802.2 packets, but not IPX-over-raw-802.3 packets, would be
>
> eth.type == 0x8137 || llc.dsap == 0xe0