Wireshark-dev: Re: [Wireshark-dev] maybe a little error in web page
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 13 May 2010 14:02:34 -0700
On May 12, 2010, at 11:37 PM, 刘延君 wrote:

> Hello:
> In this page,I found a example,mybe have problem.
> http://wiki.wireshark.org/CaptureFilters
>  
> (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
> It should be
> (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

Yes - as Jaap noted, it's now fixed.  Thanks.

Note also that right after that example is a somewhat easier filter to use for that:

	tcp portrange 1501-1549

which also has the advantage that, in versions of libpcap that support IPv6 (which newer ones do by default - and in some systems with older libpcaps the version that's shipped with the system might have IPv6 support built in), it checks for both TCP-over-IPv4 and TCP-over-IPv6 packets with port numbers in that range.

I.e., the only reason why anybody should use

	(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

rather than

	tcp portrange 1501-1549

is that their system, or their Wireshark, is using libpcap 0.9.0 or earlier.