Ethereal-users: [Ethereal-users] Read filter using eth.len seems to be buggy.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Daniel Shane <daniel.shane@xxxxxxxxx>
Date: Tue, 20 Nov 2001 11:59:19 -0500
Hi all,

I think there is a problem with the eth.len read filter, but since I did not
have the time to trace it or to check the source code yet, I thought I would
first of all ask this list to see if this is normal and/or if you can arrive
at the same results as my test.

test done using ethereal v. 0.8.20
-----------------------------------

Test1:

Machine1# ping Machine2
  64 bytes from 192.168.1.1: icmp_seq=0...
  ...

Machine2# tethereal -R "eth.dst == 00:00:0c:53:43:2b"
device eth0 entering promisc. mode
Capturing on eth0
  1.5900000  192.168.1.20 -> 192.168.1.1  ICMP Echo (ping) request
  2.5900000  192.168.1.20 -> 192.168.1.1  ICMP Echo (ping) request

The eth.dst works fine. Now I will add eth.len to this:

Machine1# ping Machine2
  64 bytes from 192.168.1.1: icmp_seq=0...
  ...

Machine2# tethereal -R "eth.dst == 00:00:0c:53:43:2b and eth.len > 1"
device eth0 entering promis. mode
Capturing eth0
<nothing>

Humm... I dare to say that just about 99.999% (even 100% maybe?) of ethernet
packets should have len > 1?

Is this normal?

Thanks in advance!
Daniel Shane

----
Daniel Shane (daniel.shane NOSPAM@xxxxxxxxx)
GNU/Linux developer 
Eicon Networks (www.eicon.com)