Ethereal-users: Re: [Ethereal-users] Filter out LLC protocal packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 19 Nov 2003 18:57:48 -0800

On Nov 19, 2003, at 6:44 PM, Ow Mun Heng wrote:

I'm running on a 802.11. I do not want to see LLC protocol packets.

I.e., you want to see only control and management frames?

Then you'll need a filter that looks at the first two bytes of the header - "link[0:2]".

I don't have the 802.11 spec in front of me, but from a quick look at the Ethereal dissector it appears that the frame type is stored in the two bits above the bottom two bits in that 16-bit quantity, and that data frames have 2 there, so try

	(link[0:2] & 0x0C) != 2

My current "capture" filter is this

!arp and !port 53 and !ip of ethereal host and !llc
							      ^^^^ something
like this

I want all other packets to be logged. Arp and DNS request packets are just
'information' which is not needed. I know DNS and Arp are working fine.

If you filter out LLC frames, then "!arp", "!port 53", and "!ip-of-ethereal-host" are unnecessary, as ARP packets, DNS packets, and, in fact, *ALL* IP packets, whether they're going to or from the Ethereal host or not, are LLC packets.

If you really want to see *ONLY* management and control frames - and *NO* IP frames *AT ALL* (no ICMP, no TCP, no UDP, no SCTP, ...), then just

	(link[0:2] & 0x0C) != 2

If you *do* want to see IP traffic, you'll have to figure out what type of LLC frames you *don't* want to see, and construct a filter to filter *them* out - unless you *only* want to see IP frames, in which case a capture filter of just

	ip

will work.  (Well, you might need

	ip || ip6

if you also want to see IPv6 frames.)