Ethereal-users: RE: [Ethereal-users] Cannot filter on dst net?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Wakefield, Thad M." <twakefield@xxxxxxxxxxxxxxxx>
Date: Thu, 17 Nov 2005 15:27:16 -0600
Try:
   (tcp and (dst net 0 or ...))

Thad 

> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx 
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jack Jackson
> Sent: Thursday, November 17, 2005 3:23 PM
> To: Ethereal user support
> Subject: Re: [Ethereal-users] Cannot filter on dst net?
> 
> I'm still not sure what you are trying to do - capture filter 
> or display 
> filter?
> 
> A capture filter of:  dst net 192.0.0.0 mask 255.0.0.0
> works for me.
> 
> The tcpdump man page at 
> http://www.ethereal.com/docs/man-pages/tcpdump.8.html in the 
> description 
> for the 'net' options says "(see networks(4) for details)".  
> I can't find 
> that at www.ethereal.com and the ones I found by Googling aren't very 
> descriptive, so I'm not sure what is the legal syntax for 'net'.
> 
> 
> At 08:53 AM 11/17/2005, Jeff Davis wrote:
> >Jack,
> >
> >Uh, yup that is part of the problem.  n00bitis.  but still 
> can;t get the 
> >dst net capture filter to work, even if I cut it down to a couple of 
> >networks.  Looking at the expression list, there does not seem to be 
> >anything under the ip section to indicate the presence of a "net" 
> >operator.  Am I missing something really basic here or ???
> >
> >Thanks
> >
> >Jack Jackson wrote:
> >
> >>
> >>
> >>At 04:49 PM 11/16/2005, Guy Harris wrote:
> >>
> >>>Jeff Davis wrote:
> >>>
> >>>>This is the error message:
> >>>>"net" was unexpected in this context.
> >>>>The following display filter isn't a valid display filter:
> >>>>(dst net 187 or tcp dst net 197)
> >>>
> >>>
> >>>tcpdump agrees with Ethereal:
> >>>
> >>>         $ tcpdump -d '(dst net 187 or tcp dst net 197)'
> >>>         tcpdump: WARNING: en0: no IPv4 address assigned
> >>>         tcpdump: 'tcp' modifier applied to host
> >>>
> >>>although it really means "'tcp' modifier applied to net" - TCP has 
> >>>neither hosts nor nets, those are properties of IP.
> >>>
> >>>There's also *another* problem that I suspect is due to 
> the filter being 
> >>>long (the error message might be too long), so it might be that no 
> >>>syntax error is displayed for your really long filter - 
> but the long one 
> >>>gets the same error from tcpdump as '(dst net 187 or tcp 
> dst net 197)' gets.
> >>>
> >>>Try "dst net 0 or dst net 1 or..." instead.
> >>
> >>
> >>But the error he got says "The following display filter 
> isn't a valid 
> >>display filter" - doesn't that mean he was trying to use 
> capture filter 
> >>syntax for a display filter?
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>