Ethereal-users: RE: [Ethereal-users] Read filter using eth.len seems to be buggy.
Title: RE: [Ethereal-users] Read filter using eth.len seems to be buggy.
Hi
'eth.len' is for 802.3 frames which have the length in the header.
IP is ethernet II encoded do no length field.
I think you want to use 'frame.pkt_len' in the filter instead.
Giles Scott
-----Original Message-----
From: Daniel Shane [mailto:daniel.shane@xxxxxxxxx]
Sent: Tuesday, November 20, 2001 4:59 PM
To: 'ethereal-users@xxxxxxxxxxxx'
Subject: [Ethereal-users] Read filter using eth.len seems to be buggy.
Hi all,
I think there is a problem with the eth.len read filter, but since I did not
have the time to trace it or to check the source code yet, I thought I would
first of all ask this list to see if this is normal and/or if you can arrive
at the same results as my test.
test done using ethereal v. 0.8.20
-----------------------------------
Test1:
Machine1# ping Machine2
64 bytes from 192.168.1.1: icmp_seq=0...
...
Machine2# tethereal -R "eth.dst == 00:00:0c:53:43:2b"
device eth0 entering promisc. mode
Capturing on eth0
1.5900000 192.168.1.20 -> 192.168.1.1 ICMP Echo (ping) request
2.5900000 192.168.1.20 -> 192.168.1.1 ICMP Echo (ping) request
The eth.dst works fine. Now I will add eth.len to this:
Machine1# ping Machine2
64 bytes from 192.168.1.1: icmp_seq=0...
...
Machine2# tethereal -R "eth.dst == 00:00:0c:53:43:2b and eth.len > 1"
device eth0 entering promis. mode
Capturing eth0
<nothing>
Humm... I dare to say that just about 99.999% (even 100% maybe?) of ethernet
packets should have len > 1?
Is this normal?
Thanks in advance!
Daniel Shane
----
Daniel Shane (daniel.shane NOSPAM@xxxxxxxxx)
GNU/Linux developer
Eicon Networks (www.eicon.com)
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
