Vaidehi Kasarekar wrote: <Frame 363 (90 on wire, 90 captured) < Arrival Time: Jun 4, 2003 18:16:20.623654000 < Time delta from previous packet: 0.002625000 seconds < Time relative to first packet: 13.375884000 seconds < Frame Number: 363 < Packet Length: 90 bytes < Capture Length: 90 bytes <IEEE 802.11 < Type/Subtype: Data (32) < Frame Control: 0x0108 < Version: 0 < Type: Data frame (2) < Subtype: 0 < Flags: 0x1
>If i want to specify a filter in tethereal in such a way that, it will filter out >packets, where >Frame Type match: "data" and the some more fields of the header. what is the syntax? >How do i specify that??? > >If i specify: >[EMAIL PROTECTED] log]$ tethereal -i eth2 -f 'wlan.fc.type_subtype eq 0x08' -V >I get an error: > >tethereal: Unable to parse filter string (parse error). > >Can anybody guide me writing rules to filter out packets based on certain header >information. I am interested in the syntax. Or any >document describing the filters >or examples of filters would be useful. Capture filters have a different syntax than display filters http://www.ethereal.com/faq.html#q5.5 In order to prepare a capture filter you should read the tcpdump/WinDump documentation (man-page) corresponding to the libpcap/WinPcap version you are using, e.g. http://nodevice.com/sections/ManIndex/man1692.html http://windump.polito.it/docs/manual.htm (if you are using WinPcap) There is also some other "guides" about tcpdump filter syntax that can be good sometimes: http://www.security-forums.com/forum/viewtopic.php?t=4489 http://www.ethereal.com/lists/ethereal-users/200306/msg00020.html http://home.insight.rr.com/procana/index.html I guess that in your case when you have IEE 802.11 headers you maybe have to use a filter such as ether[0] & 0xF0 = 0x8 (ether[0] means the first byte of the data link level used on the specified network interface) It might be good to combine a capture filter with a display/read-filter since the syntax for display/read-filters is much more powerful. You can normally filter on high level protocols and similar. You could for example start with capture all packets matching a certain capture filter and save the result to a file tethereal -i eth2 -f 'ether[0] & 0xF0' -w file1.pcap Then you could use read-filters to filter out with the more powerful display-filter syntax using the "-R" option tethereal -r file1.pcap -R 'wlan.bssid == 00:40:05:df:24:b8' -V Actually it might work to use: tethereal -i eth2 -R 'wlan.fc.type_subtype eq 0x08' -V directly, but there is a risk that packets may be dropped when Ethereal has to scan through a lot of packets in real-time.
