On Wed, 06 Feb 2002 10:27:03 Aman Garg wrote:
> Is there a way to filter ARP requests coming from (and going to ) host
> with IP addr A.B.C.D ?
>
> (ip.addr eq A.B.C.D) seems to get all IP packets matching the host but no
> ARP packets.
>
> Regards
> Aman
>
"ip.addr" means to use the address in the IP header.
ARP requests don't have IP headers.
You can use arp.src.proto and arp.dst.proto.
However, since ARP is protocol-agnositic, arp.src.proto and
arp.dst.proto are not IPv4 address, I mean, Ethereal is not
treating them as IPv4 address. The display of protocol address in
Ethereal uses the IPv4 format in the GUI protocol tree
if the protocol type in the ARP header is IP. This is
a convenience that we should carry forward to how Ethereal
encodes the address internally. That makes filtering easier.
If you have Ethereal 0.9.1, select an ARP request's
"Sender protocol address" line, right-click and choose
"Prepare | Selected" and you'll see a display filter in
the display-filter text box that uses hex-bytes instead
of an IPv4 notation:
arp.src.proto == 42:19:D0:01
That's because internally, Ethereal isn't using an IPv4
address for that address.
--gilbert
