Found the answer to my own question, just took a little more digging.
Turns out some FIX protocol messages can be very short, so I didn't want to
filter by sizes.
I was able to filter using the bitmask flags tho.
FIX messages have both the ACK and PSH flags set, so using the following:
tethereal -i eri0 -f "port 51209 || port 51266 and ((tcp[13] & 16 !=0) and
(tcp[13] & 8 !=0))" -w outputfile
I still get ACK,PSH packets(which come about once a minute) and all FIX
packets, and nothing else on those ports. There's a good writeup on using
the bitmask filters at:
http://www.security-focus-forums.com/forum/viewtopic.php?t=4489
Thanks for the help.
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx]On Behalf Of Ronald Prague
Sent: Friday, May 30, 2003 8:52 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Quick filter question (yes,we've all heard it
before...)
I've got a quick question on capture filters.
I'm capturing on a specific set of ports with tethereal for the FIX
protocol, what I don't want are the ACK packets captured...
The command line I'm using looks as follows:
[ether@empire /home/ether/captures]# tethereal -i eri0 -f "port 51209 ||
port 51266 && len >= 0" -w outputfile
As I understand that statement, it should only capture packets on those two
ports(that works) and only packets > 0 length(ACK packets are mostly 0
length, right?)...
Yet its still capturing all the ACK packets.
Help!
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users