Ethereal-users: Re: [Ethereal-users] display filter for ARP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Sat, 13 Jan 2001 20:23:56 -0600
On Sat, 13 Jan 2001 15:09:22 -0800
"jspaar" <jspaar@xxxxxxxxxxxxx> wrote:

> I'm having trouble with a _display_ filter for ARP that looks like it
> should work.
> According to the ethereal manual
> http://www.ethereal.com/ethereal.1.html#lbAO the sender protocol
> address has a field name of "arp.src.proto".  So I think a filter
> string like this should work:
> 
>         arp.src.proto eq 65.100.100.1
> 
> But I get "unable to parse filter string".
> 
> However if I have a filter string of just "arp.src.proto" with no
> comparison, it does parse ok and I get a display of just the ARP
> packets.  Similar trouble with "arc.src.hw".  What am I doing wrong?
> I'm using version 0.8.14.1 on win98, no plugins.  [And I know I could
> work around this by using byte offsets into the frame.]

arp.src.proto is defined as a "byte array", so Ethereal allows you to
compare it against an array of bytes, but not an IPv4 address in
dotted-quad notation.

arp.src.proto == ww:xx:yy:zz

would work.

--gilbert