Wireshark · Ethereal-users: Re: [Ethereal-users] Capture Filter

Ethereal-users: Re: [Ethereal-users] Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Fri, 28 Jan 2005 13:07:43 -0800

gfernand@xxxxxxxxxxxxxxxxxx wrote:

Somebody to know how can I create a *Capture Filter* (not a displayfilter) for a especific offset in the packet? For example, capture STPtraffic only (offset = Protocol Identifier)


E.g., the DSAP for LLC?

If you want to capture only STP traffic, with sufficiently recentversions of libpcap/WinPcap, you can explicitly ask for it; to quote thetcpdump man page:


	ether proto protocol
	    True if the packet is of ether type  protocol.   Protocol
	    can  be  a number or one of the names ip, ip6, arp, rarp,
	    atalk, aarp, decnet, sca, lat, mopdl,  moprc,  iso,  stp,
	    ipx,  or  netbeui.   Note these identifiers are also key-
	    words and must be escaped via backslash (\).

		...

	ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
	    Abbreviations for:
	        ether proto p
	    where p is one of the above protocols.

so you can just use "stp" as a filter.

from a specific Root switch (offset= Root Identifier).


To quote the tcpdump man page:

	expr relop expr
	    True  if  the relation holds, where relop is one of >, <,
	    >=, <=, =, !=, and expr is an arithmetic expression  com-
	    posed  of integer constants (expressed in standard C syn-
	    tax), the normal binary operators [+, -, *, /, &, |,  <<,
	    >>],  a  length  operator, and special packet data acces-
	    sors.  To access data inside the packet, use the  follow-
	    ing syntax:
	        proto [ expr : size ]
	    Proto  is  one of ether, fddi, tr, wlan, ppp, slip, link,
	    ip, arp, rarp, tcp, udp, icmp or ip6, and  indicates  the
	    protocol  layer  for  the index operation.  (ether, fddi,
	    wlan, tr, ppp, slip  and  link  all  refer  to  the  link
	    layer.)   Note that tcp, udp and other upper-layer proto-
	    col types only apply to IPv4,  not  IPv6  (this  will  be
	    fixed  in  the future).  The byte offset, relative to the
	    indicated protocol layer, is  given  by  expr.   Size  is
	    optional  and  indicates the number of bytes in the field
	    of interest; it can be either  one,  two,  or  four,  and
	    defaults  to  one.  The length operator, indicated by the
	    keyword len, gives the length of the packet.

	    For example, `ether[0] & 1 != 0'  catches  all  multicast
	    traffic.   The  expression `ip[0] & 0xf != 5' catches all
	    IP packets  with  options.   The  expression  `ip[6:2]  &
	    0x1fff  = 0' catches only unfragmented datagrams and frag
	    zero of fragmented datagrams.  This check  is  implicitly
	    applied  to  the  tcp  and  udp  index  operations.   For
	    instance, tcp[0] always means the first byte of  the  TCP
	    header,  and never means the first byte of an intervening
	    fragment.

References:
- [Ethereal-users] Capture Filter
  - From: gfernand

Prev by Date: Re: [Ethereal-users] couple of questions( dynamic capture filtering, application pkt filtering)
Next by Date: [Ethereal-users] RE: netxray.c Time Calculations (file version 2.2)
Previous by thread: [Ethereal-users] Capture Filter
Next by thread: [Ethereal-users] Problem in viewing IMAP Packets
Index(es):
- Date
- Thread