I'm still not sure what you are trying to do - capture filter or display
filter?
A capture filter of: dst net 192.0.0.0 mask 255.0.0.0
works for me.
The tcpdump man page at
http://www.ethereal.com/docs/man-pages/tcpdump.8.html in the description
for the 'net' options says "(see networks(4) for details)". I can't find
that at www.ethereal.com and the ones I found by Googling aren't very
descriptive, so I'm not sure what is the legal syntax for 'net'.
At 08:53 AM 11/17/2005, Jeff Davis wrote:
Jack,
Uh, yup that is part of the problem. n00bitis. but still can;t get the
dst net capture filter to work, even if I cut it down to a couple of
networks. Looking at the expression list, there does not seem to be
anything under the ip section to indicate the presence of a "net"
operator. Am I missing something really basic here or ???
Thanks
Jack Jackson wrote:
At 04:49 PM 11/16/2005, Guy Harris wrote:
Jeff Davis wrote:
This is the error message:
"net" was unexpected in this context.
The following display filter isn't a valid display filter:
(dst net 187 or tcp dst net 197)
tcpdump agrees with Ethereal:
$ tcpdump -d '(dst net 187 or tcp dst net 197)'
tcpdump: WARNING: en0: no IPv4 address assigned
tcpdump: 'tcp' modifier applied to host
although it really means "'tcp' modifier applied to net" - TCP has
neither hosts nor nets, those are properties of IP.
There's also *another* problem that I suspect is due to the filter being
long (the error message might be too long), so it might be that no
syntax error is displayed for your really long filter - but the long one
gets the same error from tcpdump as '(dst net 187 or tcp dst net 197)' gets.
Try "dst net 0 or dst net 1 or..." instead.
But the error he got says "The following display filter isn't a valid
display filter" - doesn't that mean he was trying to use capture filter
syntax for a display filter?