Ethereal-users: Re: [Ethereal-users] RE: Packet capture doesn't work?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jim Cromie <jcromie@xxxxxxxxxx>
Date: Thu, 07 Mar 2002 22:43:39 -0700
beby@xxxxxxxxxxxx wrote:

Looks like I've answered my own question...
The udp abbreviation "udp" works while the long form "ip proto udp"
generally doesn't work.
so:
"host foo and udp" works great, but "host foo and ip proto udp" causes a
parse error.



Guy Harris answered a similar question from me on 2/23, so I pass on..

subject: capture filters - whats wrong with 'not ether proto arp'

'not ether proto arp'        -> unable to parse filter string  (parse error)
'not ether proto ARP' -> " " " " " (unknown ether proto ARP)

'not ip proto ARP'        -> "    (unknown ip proto ARP)
'not ip proto GRE'        -> works.

'not ip proto 0x0806'    -> works


so I conclude :

filtering IP protocols by name works (ex. GRE), but not for Ethernet protocols.

or am I missing something ?


Yes, you're missing a backslash. :-)

To quote the tcpdump man page (which is the man page that documents the
filter expression syntax supported by libpcap; libpcap is the library
used by tcpdump, Ethereal, and a number of other programs to do packet
capture, and that includes doing filtering when capturing):

	expression
	      selects  which  packets  will  be  dumped.   If  no
	      expression is given, all packets on the net will be
	      dumped.	Otherwise, only packets for which expres-
	      sion is `true' will be dumped.

		...


	      ether proto protocol
		     True  if  the packet is of ether type proto-
		     col.  Protocol can be a  number  or  a  name
		     like  ip,	arp, or rarp.  Note these identi-
					       ^^^^^^^^^^^^^^^^^^
		     fiers are also keywords and must be  escaped
		     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		     via  backslash  (\).   [In  the case of FDDI
		     ^^^^^^^^^^^^^^^^^^^
		     (e.g., `fddi protocol  arp'),  the  protocol
		     identification  comes from the 802.2 Logical
		     Link Control (LLC) header, which is  usually
		     layered  on top of the FDDI header.  Tcpdump
		     assumes,  when  filtering	on  the  protocol
		     identifier, that all FDDI packets include an
		     LLC header, and that the LLC  header  is  in
		     so-called SNAP format.]

so:

	% tcpdump 'not ether proto arp'
	tcpdump: syntax error

but

	% tcpdump 'not ether proto \arp'
	tcpdump: listening on fxp0

So if you use a filter expresion of

	not ether proto \arp

rather than

	not ether proto arp

that'll work.

Then again, as they note, "arp" is a keyword; to quote the man page
again:

	      ip, arp, rarp, decnet, iso
		     Abbreviations for:
			  ether proto p
		     where p is one of the above protocols.

so just

	not arp

will do the same thing as

	not ether proto \arp

"gre" is not a keyword in the libpcap grammar, so it doesn't have to be
escaped with a backslash, unlike "arp".

.