On Thu, Mar 07, 2002 at 08:15:50PM -0500, Ebright, Don wrote:
> A filter expression like "ip host nnn.nnn.nnn.nnn" works properly with or
> without a directional prefix. The MAC address support seems to give a
> syntax error
"ether hh:hh:hh:hh:hh:hh" isn't a valid expression...
...just as "ip nnn.nnn.nnn.nnn" isn't a valid expression.
You have to say "ether host hh:hh:hh:hh:hh:hh" - "host", not "ether", is
the key token here; "ether" and "ip" are qualifiers for "host".
> The filter syntax "proto 0x0806" is accepted, but doesn't seem to catch
> anything.
It's an alias for "ip proto 0x0806".
> I was hoping to get all ARP frames, so I must have misunderstood
> something.
Try "ether proto 0x0806" - or "ether proto \arp", as per
ether proto protocol
True if the packet is of ether type protocol.
Protocol can be a number or a name like ip, arp,
or rarp. Note these identifiers are also keywords
and must be escaped via backslash (\). [In the
case of FDDI (e.g., `fddi protocol arp'), the pro-
tocol identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually lay-
ered on top of the FDDI header. Tcpdump assumes,
when filtering on the protocol identifier, that
all FDDI packets include an LLC header, and that
the LLC header is in so-called SNAP format.]
Or try just "arp", as per
ip, arp, rarp, decnet
Abbreviations for:
ether proto p
where p is one of the above protocols.
> I seem to be able to filter for only IPX or NETBEUI frames by specifying the
> keyword, but do I have the capability to look at an offset within these
> packet types?
No. That might be something useful to add.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
