On Nov 19, 2003, at 6:19 PM, Ow Mun Heng wrote:
I"m getting a lot of LLC (logical Link Control) packets which is
just too verbose for me, I would like to get rid of it via filter.
What do you mean by "LLC packets"?
If you mean packets using 802.2 LLC, then, on most networks, either
1) no packets are 802.2 LLC packets (e.g., non-IEEE 802 networks)
or
2) most packets are 802.2 LLC packets (e.g., IEEE 802 networks *other*
than Ethernet)
so I'll assume you're either
1) running on Ethernet (in which case almost all, if not all, IP
packets, for example, aren't 802.2 LLC packets)
or
2) running on some other 802 network (Token Ring, 802.11), or FDDI,
and you only want to see "management" packets, not data packets.
I tried something like !llc BUT ethereal gives an error that it's not
understood.
That means you're trying to do a capture filter, not a display filter
("!llc" would work with a display filter).
In the first case (running on Ethernet), LLC packets (or, rather, 802.3
packets - there are also the weird "802.3 without 802.2" Netware
packets) have a "length" field rather than a "type" field after the
destination and source MAC addresses. "length" field values are 1500
or less, and "type" field values are larger, so you'd want to check for
packets where the type/length field is > 1500:
ether[12:2] > 1500
In the second case (running on some network using 802.2), the way you'd
do it would depend on the network, assuming it's even possible - but I
suspect that's not what you're doing, as there probably won't be many
interesting packets left if you filter out LLC packets (as even IP
packets would be LLC packets on those networks).
