On Wed, 06 Feb 2002 10:27:03 Aman Garg wrote: > Is there a way to filter ARP requests coming from (and going to ) host > with IP addr A.B.C.D ? > > (ip.addr eq A.B.C.D) seems to get all IP packets matching the host but no > ARP packets. > > Regards > Aman >
"ip.addr" means to use the address in the IP header. ARP requests don't have IP headers. You can use arp.src.proto and arp.dst.proto. However, since ARP is protocol-agnositic, arp.src.proto and arp.dst.proto are not IPv4 address, I mean, Ethereal is not treating them as IPv4 address. The display of protocol address in Ethereal uses the IPv4 format in the GUI protocol tree if the protocol type in the ARP header is IP. This is a convenience that we should carry forward to how Ethereal encodes the address internally. That makes filtering easier. If you have Ethereal 0.9.1, select an ARP request's "Sender protocol address" line, right-click and choose "Prepare | Selected" and you'll see a display filter in the display-filter text box that uses hex-bytes instead of an IPv4 notation: arp.src.proto == 42:19:D0:01 That's because internally, Ethereal isn't using an IPv4 address for that address. --gilbert
