Wireshark · Ethereal-users: Re: [Ethereal-users] unable to parse filter string

Ethereal-users: Re: [Ethereal-users] unable to parse filter string

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Tue, 5 Mar 2002 13:16:52 -0800

On Tue, Mar 05, 2002 at 12:25:33PM -0600, Senthil Kumar wrote:
> I am getting the warning screen:
> 
> Unable to parse filter string(parse error) when i start to capture with
> the filter string
> ether proto ppp
> 
> I checked with the tcpdump & the syntax look ok.

You didn't check carefully enough.

The tcpdump 3.7.1 man page says:

	  ether	proto protocol
	       True if the packet  is  of  ether  type	protocol.
	       Protocol	 can  be a number or one of the	names ip,
	       ip6, arp, rarp, atalk,  aarp,  decnet,  sca,  lat,
	       mopdl,  moprc,  iso,  stp,  ipx,	or netbeui.  Note
	       these identifiers are also keywords  and	 must  be
	       escaped via backslash (\).

It says nothing about "ppp", so the syntax of "ether proto ppp" isn't OK
(or the syntax is OK but the semantics aren't OK, but, in either case,
it's not a valid expression).

If by "ether proto ppp" you mean you want to filter for PPPoE, then you
have to use numbers:

	ether proto 0x8863 or ether proto 0x8864

Follow-Ups:
- Re: [Ethereal-users] unable to parse filter string
  - From: Senthil Kumar

References:
- [Ethereal-users] unable to parse filter string
  - From: Senthil Kumar

Prev by Date: Re: [Ethereal-users] SNMP and OID parsing for eneterprises branch
Next by Date: Re: [Ethereal-users] unable to parse filter string
Previous by thread: [Ethereal-users] unable to parse filter string
Next by thread: Re: [Ethereal-users] unable to parse filter string
Index(es):
- Date
- Thread