Ethereal-users: Re: [ethereal-users] having difficulty with tethereal and filters
> The format that worked was not an obvious solution when reading the man
> pages..... Have I missed some piece of documentation that would have
> explained this?
The parts of the man page that say
Packet capturing is performed with the pcap library. The
capture filter syntax follows the rules of the pcap library.
This syntax is different from the display filter syntax.
and
CAPTURE FILTER SYNTAX
See manual page of tcpdump(8).
> What would the format be for capturing
> ICMP ping (type 8) packets that were sourced from 63.75.231.1?
>
> icmp.type == 8 and ip.src == 63.75.231.1
The tcpdump man page says
expression
selects which packets will be dumped. If no expression
is given, all packets on the net will be dumped. Oth-
erwise, only packets for which expression is `true'
will be dumped.
...
src host host
True if the IP source field of the packet is host.
...
expr relop expr
True if the relation holds, where relop is one of
>, <, >=, <=, =, !=, and expr is an arithmetic
expression composed of integer constants
(expressed in standard C syntax), the normal
binary operators [+, -, *, /, &, |], a length
operator, and special packet data accessors. To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp,
udp, or icmp, and indicates the protocol layer for
the index operation. The byte offset, relative to
the indicated protocol layer, is given by expr.
Size is optional and indicates the number of bytes
in the field of interest; it can be either one,
two, or four, and defaults to one. The length
operator, indicated by the keyword len, gives the
length of the packet.
For example, `ether[0] & 1 != 0' catches all mul-
ticast traffic. The expression `ip[0] & 0xf != 5'
catches all IP packets with options. The expres-
sion `ip[6:2] & 0x1fff = 0' catches only unfrag-
mented datagrams and frag zero of fragmented
datagrams. This check is implicitly applied to
the tcp and udp index operations. For instance,
tcp[0] always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
Primitives may be combined using:
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be
escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and con-
catenation have equal precedence and associate left to
right. Note that explicit and tokens, not juxtaposi-
tion, are now required for concatenation.
EXAMPLES
...
To print all ICMP packets that are not echo requests/replies
(i.e., not ping packets):
tcpdump 'icmp[0] != 8 and icmp[0] != 0"
so
src host 63.75.231.1 and icmp[0] = 8
should do what you want. (It seemed to work when I tried
tethereal -f 'src host <machine> and icmp[0] = 8'
and did
ping www.sun.com
from the machine in question.)
Yes, this is ugly. Yes, we should support (a subset of) display filter
syntax for capture filters. No, we haven't yet written the code to do
that yet.
