From: Jack Jackson
| At 08:38 PM 7/13/2004, Jerome VanRooijen wrote:
| >I have created a capture of my network, which has various traffic
going over
| >it. The majority of this is FTP, and I would like to filter this
out after
| >the capture stage, but when I apply the filter 'tcp.port != 21',
Ethereal
| >continues to display all packets captured.
| >
| >Is there something that I am missing?
|
| Yes. TCP packets have two ports, a source and a destination.
tcp.port
| refers to both. 'tcp.port != 21' is equivalent to 'tcp.srcport !=
21 or
| tcp.dstport != 21'. Since in FTP traffic one of the ports is
normally not
| 21, your filter matches all TCP packets.
|
| Try '! tcp.port == 21'. Using 'port' is useful when used with ==
but has
| this often unexpected side-effect with !=.
The display filter engine today adds an implicit "exists" operator to
every field appearing in a display filter expression. This means that
the expression "tcp.port != 21" means: "search for all packets having
a field named tcp.port whose value is different from 21". As Jack
told, there are 2 ports in TCP: tcp.srcport and tcp.dstport; and
tcp.port stands for either tcp.srcport or tcp.dstport. This then means
that the expression would be evaluated to "search for all packets
having a field named tcp.srcport with a value different from 21 OR
having a field named tcp.dstport with a value different from 21. This
expression will match all packets containing TCP traffic where source
and destination are not both equal to 21.
Best regards,
Olivier