Kebin wrote:
>I am running into a confusing problem wit bit masking in ethereal
>0.9.12 on freebsd 4.8.
>
>What I want to do is look at the bits 0 - 5 in the 1st octet of the UDP
>payload and see if it is equal to 0x02. My display filter is:
>
> udp[8] & 0x1f = 2
>
>When I apply this, I get an error box that reads:
> The string "&" was unexpected in this context
>
>Does some one know what i am doing wrong? This filter works in tcpdump
It's not a valid display filter. The syntax for display filters is described here:
http://www.ethereal.com/docs/user-guide/ch03dispfilt.html
It seems that "udp[8] & 0x1f = 2" is a valid capture filter (the syntax should be the same as for tcpdump, since the
capture filtering is done in libpcap/WinPcap and not in Ethereal).
The diplay filter syntax is not the same as the capture filter syntax.
http://www.ethereal.com/faq.html#q5.5
It doesn't seem that it is possible to do a "bit-wise and", so I guess you have to try a filter such as:
udp[8]==02 || udp[8]== 22 || udp[8] == 42 || udp[8] == 62 || udp[8] == 82 || udp[8] == A2 || udp[8] == C2 || udp[8] == E2