I would like to be able to set tcpdump filters by MAC addresses, frame type, or other frame contents. The tcpdump man page (especially the update for 3.7.1) gives a lot of information on setting filters that are based on byte offsets within the headers associated with the IP protocol suite and some examples of filtering within the MAC header, but I still have a few questions in this area.
A filter expression like "ip host nnn.nnn.nnn.nnn" works properly with or without a directional prefix. The MAC address support seems to give a syntax error unless "ether hh:hh:hh:hh:hh:hh" is preceeded by "src" or "dst". I assume that I could get the desired result with something like "src ether hh:hh:hh:hh:hh:hh or dst ether hh:hh:hh:hh:hh:hh". Is this an intended restriction or a bug? The filter syntax "proto 0x0806" is accepted, but doesn't seem to catch anything. I was hoping to get all ARP frames, so I must have misunderstood something. I do seem to be able to get the desired result with ether[12:2] = 0x0806. Does the fact that tr and fddi are synonyms for ether imply that I need to know the linktype to know the offset of the length/protocol field, or are the extra TR/FDDI control byte(s) before the destination MAC address given negative offsets so the destination, source, and length can always be found at offsets 0, 6, and 12 for these link types? I seem to be able to filter for only IPX or NETBEUI frames by specifying the keyword, but do I have the capability to look at an offset within these packet types? Looking at gencode.c, it seems fairly clear that IPX host and port filtering isn't explicitly provided, but could that be done by filtering for particular values at fixed offsets in the frame? If so, what would the syntax look like? Trying "ipx [offset] = something" gives me a syntax error. I can hack this in - at least for ethernet II frames - by using something like "ipx and ether[offset+14] = something", but it would need to be a fairly complicated expression if it considered 802.3, SNAP, etc. I don't know much about lex, yacc, or BPF, so it isn't clear from a casual inspection of grammar.y and gencode.c whether I have plumbed the depths of the surprisingly extensive filtering options. Any additional information about these areas that look ambiguous to me would be appreciated. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
