On Tue, May 14, 2002 at 10:48:19AM -0400, Marc wrote:
> Hi all- I was wondering - is there a better explanation of the (for example):
>
> ether[0] & 1 != 0
>
> from the tcpdump man page from ethereal's site?
No, there isn't.
> This is what I am trying to do:
>
> log every logon to the server using ethereal. I know that
> registration packets have unique info in them, i am just not familiar in
> how to specify and search the packet using ethereal. Any suggestions?
Searching for packets isn't done with libpcap capture filters (which is
what the tcpdump man page describes), it's done with Ethereal display
filters.
Capture filters would let you control which packets get seen by Ethereal
at all.
Unfortunately, while tcpdump-style capture filters might let you check
for the data in question, they don't make it particularly easy - in
fact, there's no way to tell it to look at the Nth byte of the TCP
payload (TCP headers are variable length, and the only variable-length
headers the libpcap code currently handles are IP headers), so it's
probably impossible to do so with a capture filter.
For display filters, there *might* be a field that would let you check
for registration packets; unfortunately, as you haven't said what
protocol is being used, I can't say whether that'd be the case or say
what a display filter to check for registration packets would be.
