Ethereal-users: [Ethereal-users] Re: [Ethereal-dev] Expression Meanings

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 27 Jan 2003 11:56:42 -0800
On Mon, Jan 27, 2003 at 03:44:34PM -0400, Eddie Orta wrote:
>     I just wonder, If using the Expression as is in the following table,
> means that Im going to capture the Type of Information.
> 
> Type         --          Expression
> 
> DEC Lan Bridge  --  ether[0]==0x8038

	...

> Please, I would Like to know If Im wrong or not.

You're wrong.  "ether[0]", as a capture filter, tests only the first
byte of the Ethernet header, but the Ethernet packet type

	1) doesn't start at the beginning of the Ethernet header

and

	2) is 2 bytes long.

See the tcpdump man page section on filter expressions.

> And If I am wrong, how
> would I do the Expression to capture the Type, in this cases.

	ether proto 0x8038

and so on.

Note also that the same applies to display filters, although, in the
case of a display filter, the correct expressions would be

	eth.type == 0x8038

and so on.