Ethereal-users: Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 10 Aug 2006 12:30:53 -0700
-------------------
The Ethereal project is being continued at a new site.  Please go to
http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxx.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

james hanley wrote:
-------------------
The Ethereal project is being continued at a new site.  Please go to
http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxx.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------



------------------------------------------------------------------------

1)
how do I say OR ?
AND is &&
for example, I want to say tcp.dstport != 3389 "OR" tcp.srcport != 3389

The same way you do in Wireshark, as per the above, so I'm redirecting this to the wireshark-users list.

In Wireshark, just as AND is &&, OR is...

...||.

2)
how do I see only the initial connections? and just incoming or just outgoing? is there an easier way than this? (i'm not even sure if this is right) my ip is 192.168.0.2 for incoming-
tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2

That's the correct filter to see attempts by other machines to connect to your machine - it matches packets that have SYN set and ACK not set (so it's the initial SYN) that are not coming from your machine.

for outgoing-
tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2

Ditto.

No, there's no simpler expression (unless somebody's added a new field to the TCP dissector while I wasn't watching).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users