Wireshark · Ethereal-users: RE: [Ethereal-users] help with filter syntax

Ethereal-users: RE: [Ethereal-users] help with filter syntax

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gerald Combs <gerald@xxxxxxxx>

Date: Mon, 4 Dec 2000 13:00:40 -0600 (EST)

On Mon, 4 Dec 2000, Mitchell K. Smith wrote:

> I am trying now to create a filter for ALL udp ports.
> 
> Can you help me with the syntax?
> 
> port udp <something?>

For capturing you could use "ip proto 17" or "ip proto \udp" (note the
backslash).  The equivalent display filter would be "ip.proto == 17" or
simply "udp".

> Is there a definitive reference for ethereal so I don't have to keep bugging
> you guys.

The capture filter syntax is described in the tcpdump man page.  Display
filters are described in the Ethereal man page.  More friendly
descriptions of each can be found in the Ethereal User's Guide, at

  http://www.ns.aus.com/ethereal/user-guide/ch03capfilt.html

and

  http://www.ns.aus.com/ethereal/user-guide/ch03dispfilt.html
  
respectively.



> 
> Thanks for your help.
> 
> Mitch Smith
> 
> 
> 
> -----Original Message-----
> From: McNutt, Justin M. [mailto:McNuttJ@xxxxxxxxxxxx]
> Sent: Sunday, December 03, 2000 12:17 PM
> To: 'Gerald Combs'; Mitchell K. Smith
> Cc: 'ethereal-users@xxxxxxxxxxxx'
> Subject: RE: [Ethereal-users] help with filter syntax
> 
> 
> That will work, but remember that SNMP traps are sent on UDP port 162 (by
> default).  Try:
> 
> udp.port == 161 or udp.port == 162
> 
> --J
> 
> > -----Original Message-----
> > From: Gerald Combs [mailto:gerald@xxxxxxxx]
> > Sent: Thursday, November 30, 2000 1:58 PM
> > To: Mitchell K. Smith
> > Cc: 'ethereal-users@xxxxxxxxxxxx'
> > Subject: Re: [Ethereal-users] help with filter syntax
> > 
> > 
> > On Thu, 30 Nov 2000, Mitchell K. Smith wrote:
> > 
> > > Greetings.
> > > 
> > > I am new to using Ethereal and I need some help with the 
> > filter syntax.
> > > I am using version 0.8.14.
> > > 
> > > I am trying to capture SNMP packets only.
> > > 
> > > I read the tcpdump man page but I still don't "get it"
> > > 
> > > What would the syntax be for the filter field?
> > 
> > SNMP uses UDP port 161, so the capture filter would be "udp 
> > port 161", or
> > simply "port 161".  In case you need it the display filter would be
> > "snmp" or "udp.port == 161".
> > 
> > 
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>

References:
- RE: [Ethereal-users] help with filter syntax
  - From: Mitchell K. Smith

Prev by Date: RE: [Ethereal-users] help with filter syntax
Next by Date: [Ethereal-users] PPP data on Ethereal
Previous by thread: RE: [Ethereal-users] help with filter syntax
Next by thread: [Ethereal-users] PPP data on Ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$