Ethereal-users: Re: [Ethereal-users] Cannot filter on dst net?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Davis <jdavis@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Nov 2005 13:34:55 -0800
Yup - that did it :)

I was trying to do a capture filter - basically capture all outbound bogon traffic to trace which host was infected with bagle - btw if there's a better way to do this please let me know.

Yeah part of my problem was using capture syntax in the display filter.  Mea Culpa.

Thanks

Wakefield, Thad M. wrote: 
Try:
   (tcp and (dst net 0 or ...))

Thad 

  
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx 
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jack Jackson
Sent: Thursday, November 17, 2005 3:23 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] Cannot filter on dst net?

I'm still not sure what you are trying to do - capture filter 
or display 
filter?

A capture filter of:  dst net 192.0.0.0 mask 255.0.0.0
works for me.

The tcpdump man page at 
http://www.ethereal.com/docs/man-pages/tcpdump.8.html in the 
description 
for the 'net' options says "(see networks(4) for details)".  
I can't find 
that at www.ethereal.com and the ones I found by Googling aren't very 
descriptive, so I'm not sure what is the legal syntax for 'net'.


At 08:53 AM 11/17/2005, Jeff Davis wrote:
    
Jack,

Uh, yup that is part of the problem.  n00bitis.  but still 
      
can;t get the 
    
dst net capture filter to work, even if I cut it down to a couple of 
networks.  Looking at the _expression_ list, there does not seem to be 
anything under the ip section to indicate the presence of a "net" 
operator.  Am I missing something really basic here or ???

Thanks

Jack Jackson wrote:

      
At 04:49 PM 11/16/2005, Guy Harris wrote:

        
Jeff Davis wrote:

          
This is the error message:
"net" was unexpected in this context.
The following display filter isn't a valid display filter:
(dst net 187 or tcp dst net 197)
            
tcpdump agrees with Ethereal:

        $ tcpdump -d '(dst net 187 or tcp dst net 197)'
        tcpdump: WARNING: en0: no IPv4 address assigned
        tcpdump: 'tcp' modifier applied to host

although it really means "'tcp' modifier applied to net" - TCP has 
neither hosts nor nets, those are properties of IP.

There's also *another* problem that I suspect is due to 
          
the filter being 
    
long (the error message might be too long), so it might be that no 
syntax error is displayed for your really long filter - 
          
but the long one 
    
gets the same error from tcpdump as '(dst net 187 or tcp 
          
dst net 197)' gets.
    
Try "dst net 0 or dst net 1 or..." instead.
          
But the error he got says "The following display filter 
        
isn't a valid 
    
display filter" - doesn't that mean he was trying to use 
        
capture filter 
    
syntax for a display filter?
        
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

    
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

  

-- 
Jefferson K. Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661-392-2110 ext 120