On Wed, Aug 23, 2006 at 03:01:41PM -0500, Prigge Scott wrote:
> Using version 0.99.2, and am struggling to create a simple display
> filter using byte offset notation. I want to simply capture traffic
> where the first two bytes of the source address are 68.154. Shouldn't
> this filter be as simple as ip[12:2]==68 154? I've tried lots of
> different permutations, but can't get any to work. I have created the
> same offset filter in another product, Network Instruments Observer,
> and I get the results I would expect.
I don't think that Wireshark supports that format. Do you want to match
packets with source IP addresses in the 68.154.x.x range? If so,
"ip.src == 68.154.0.0/16" will do that (or ip.addr to match either the
source or destination).
Steve