On Nov 19, 2003, at 6:44 PM, Ow Mun Heng wrote:
I'm running on a 802.11. I do not want to see LLC protocol packets.
I.e., you want to see only control and management frames?
Then you'll need a filter that looks at the first two bytes of the
header - "link[0:2]".
I don't have the 802.11 spec in front of me, but from a quick look at
the Ethereal dissector it appears that the frame type is stored in the
two bits above the bottom two bits in that 16-bit quantity, and that
data frames have 2 there, so try
(link[0:2] & 0x0C) != 2
My current "capture" filter is this
!arp and !port 53 and !ip of ethereal host and !llc
^^^^ something
like this
I want all other packets to be logged. Arp and DNS request packets are
just
'information' which is not needed. I know DNS and Arp are working fine.
If you filter out LLC frames, then "!arp", "!port 53", and
"!ip-of-ethereal-host" are unnecessary, as ARP packets, DNS packets,
and, in fact, *ALL* IP packets, whether they're going to or from the
Ethereal host or not, are LLC packets.
If you really want to see *ONLY* management and control frames - and
*NO* IP frames *AT ALL* (no ICMP, no TCP, no UDP, no SCTP, ...), then
just
(link[0:2] & 0x0C) != 2
If you *do* want to see IP traffic, you'll have to figure out what type
of LLC frames you *don't* want to see, and construct a filter to filter
*them* out - unless you *only* want to see IP frames, in which case a
capture filter of just
ip
will work. (Well, you might need
ip || ip6
if you also want to see IPv6 frames.)