Wireshark · Ethereal-users: Re: [Ethereal-users] Question about packet filtering

Ethereal-users: Re: [Ethereal-users] Question about packet filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Guy Harris" <gharris@xxxxxxxxx>

Date: Thu, 8 Apr 2004 15:18:29 -0700 (PDT)

Matthew Bedford said:
> I wish to filter traffic during capture for particular protocols, such
> as AIM, for all hosts and IPs. What would the proper syntax be.

For AIM, it'd be

    tcp port 5190

or, at least on some systems,

    tcp port aol

> I've
> tried reading the tcpdump man page (umm, lost...) and I've read the help
> section. I've tried "ether proto AIM"

"ether proto" is for protocols that run directly atop Ethernet, such as
IP; AIM runs atop TCP, not directly atop Ethernet.

> and "ip proto AIM"

"ip proto" is for protocols that run directly atop IP, such as TCP or UDP;
AIM runs atop TCP, not directly atop IP.

There *is* no syntax for protocols that run atop TCP, as the packet
filtering engine that libpcap/WinPcap uses (libpcap on UN*X, and WinPcap
on Windows, is the library Ethereal uses to do packet capturing; that
library handles filtering, as, in some OSes, the filtering is done in the
OS kernel, so that packets are discarded *before* being copied up to the
application's address space, saving significant amounts of CPU time)
doesn't support that.  It *does* support filtering on the TCP port number,
and 5190 is the TCP port number for the AOL IM protocol.

References:
- [Ethereal-users] Question about packet filtering
  - From: Matthew Bedford

Prev by Date: Re: [Ethereal-users] Not seeing PPPoE packets when filtering
Next by Date: Re: [Ethereal-users] LCF decode from Vocaltec GK does not display 2ndalternate endpoi nt
Previous by thread: Re: [Ethereal-users] Question about packet filtering
Next by thread: [Ethereal-users] How do I search for 'POST' text in the INFO field
Index(es):
- Date
- Thread