james hanley wrote:
-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxx.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------
------------------------------------------------------------------------
1)
how do I say OR ?
AND is &&
for example, I want to say
tcp.dstport != 3389 "OR" tcp.srcport != 3389
The same way you do in Wireshark, as per the above, so I'm redirecting
this to the wireshark-users list.
In Wireshark, just as AND is &&, OR is...
...||.
2)
how do I see only the initial connections? and just incoming or just
outgoing?
is there an easier way than this? (i'm not even sure if this is right)
my ip is 192.168.0.2
for incoming-
tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2
That's the correct filter to see attempts by other machines to connect
to your machine - it matches packets that have SYN set and ACK not set
(so it's the initial SYN) that are not coming from your machine.
for outgoing-
tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2
Ditto.
No, there's no simpler expression (unless somebody's added a new field
to the TCP dissector while I wasn't watching).