[Guy Harris <gharris@xxxxxxxxx>]

On Mon, Jun 09, 2003 at 03:30:41PM -0700, Hoa Nguyen wrote:
> I read the manual for setting capture filter and it said you can do the
> following for protocol:
> 
> ip|ether proto <protocol>
> 
> I try (without the quotes) "ether proto ipx" and I got a "Unable to parse
> filter string (parse error)".  There is no example in the manual so I am
> not sure what I am doing wrong.
> 
> Does anyone know what I am doing wrong?

Assuming that you can do that for *all* protocols that run atop
Ethernet, including IPX.

There are multiple ways to encapsulate IPX on Ethernet.  In newer
versions of libpcap (I forget which version was the first to support it,
and don't know if it's supported in WinPcap 2.3 or not), you can just
use "ipx" as a capture filter for IPX - it will check for all of them.
Otherwise, you'd have to do the filter yourself, and either

	1) check only for some encapsulations - for example

		ether type 0x8137

	   which will check for the "Ethernet_II" encapsulation, using
	   an DEC/Intel/Xerox Ethernet II header with a type field,
	   rather than an 802.3 header with a length field, and using an
	   Ethernet type value of hex 8137;

	2) write a full expression to check for all of them (how to do
	   that is left as an exercise for the reader).