Ethereal: Re: [Ethereal-users] getting MAC addresses from ethereal

Ethereal-users: January 2002

Subject: Re: [Ethereal-users] getting MAC addresses from ethereal
From: "M.C. van den Bovenkamp" <marco@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Jan 2002 07:26:03 +0100

Rakesh Arora wrote:

> > '!(ether[0:2] = 0x0002 and ether[2] = 0x2d) and
> > !(ether[0:2] = 0x0050 and ether[2] = 0x8b)' I think.
> > But double check my boolean logic; it's
> > rusty and it's almost 2:30 AM here :-).
> 
> Thanks Marco. I should be able to combine the third
> byte with the first two bytes. If so, my capture
> expression would look like:
> !(ether[6:3] = 0x00022d) and !(ether[6:3]=0x00508b).
> Is this right? (I am looking at the source addresses,
> so it is at an offset of 6)

Not according to the tcpdump manpage you can't:

"Size  is
 optional  and  indicates the number of bytes
 in the field of interest; it can  be  either
 one, two, or four, and defaults to one."

And tcpdump doesn't accept it. 

		Regards,

			Marco.

References:
- Re: [Ethereal-users] getting MAC addresses from ethereal
  - From: Rakesh Arora

Prev by Date: Re: [Ethereal-users] getting MAC addresses from ethereal
Next by Date: Re: [Ethereal-users] Save as my own file format?
Previous by thread: Re: [Ethereal-users] getting MAC addresses from ethereal
Next by thread: Re: [Ethereal-users] getting MAC addresses from ethereal
Index(es):
- Date
- Thread