Ethereal-users: Re: [Ethereal-users] Capture Filter with multiple exclusions?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 8 Sep 2002 14:00:09 -0700
On Sun, Sep 08, 2002 at 12:56:11PM -0700, Jack Jackson wrote:
> I don't think the combinations matter at all.  You are using some illegal 
> protocols.

Yes.

> According to the tcpdump man page, bootp is not accepted as a protocol.
> 
> smtp should be specified as "tcp port smtp".

Yes.

BOOTP runs atop UDP, SMTP runs atop TCP, and neither UDP nor TCP have a
"protocol" field, like Ethernet and IP, which do (the packet type field
in Ethernet, and the protocol field in IP), so you can say "arp" or "not
arp", which test the Ethernet packet type field when capturing on
Ethernet, can can say "icmp" or "not icmp", which test the IP protocol
field, but you can't say "smtp" or "not smtp" or "bootp" or "not bootp".

Instead, tests for BOOTP and SMTP have to test the port number fields,
so, as you note, testing for SMTP would be done with "tcp port smtp" if
the services database used by your machine maps "smtp" to 25 (otherwise,
you have to say "tcp port 25").

Similarly, there are BOOTP server and client ports, so you could test
for "udp port bootps or udp port bootpc" (or, if the services database
doesn't map "bootps" to 67 and "bootpc" to 68, "udp port 67 or udp port
68").