DAIGLE, ANDREW PAUL wrote:
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Ivan Stamenkovic
Sent: Thursday, January 19, 2006 3:43 PM
To: ethereal-users@xxxxxxxxxxxx
Cc: Ivan Stamenkovic
Subject: [Ethereal-users] Capture Filter for ICMPs
Hello,
I need a filter to stop capturing both ICMP Echo (ping) requests AND replies
from a specific addresses. How to?
not icmp and not host x.x.x.x
...which stops all ICMP packets and all packets from host x.x.x.x.
If you want to stop all ICMP packets to or from host x.x.x.x, but accept
ICMP packets to and from other hosts, and all non-ICMP packets (whether
they're to or from that host or not), it'd be
not (icmp and host x.x.x.x)
and if you want to stop all ICMP Echo and Echo Reply packets to or from
host x.x.x.x, and accept ICMP packets to and from other hosts, all
non-ICMP packets, *and* non-Echo and non-Echo Reply ICMP packets to or
from host x.x.x.x, it'd be
not ((icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply)
and host x.x.x.x)
with sufficiently recent versions of libpcap/WinPcap (older versions
don't support using "icmptype" as an offset/length value, and
"icmp-echo" and "icmp-echoreply" as comparison values, in expressions; I
don't know when that was introduced, but it was a while ago, I think).