|
EtherealRe: [Ethereal-users] Capture Filter with multiple exclusions? |
|
||
|
|
EtherealRe: [Ethereal-users] Capture Filter with multiple exclusions? |
|
||
On Sun, Sep 08, 2002 at 12:56:11PM -0700, Jack Jackson wrote: > I don't think the combinations matter at all. You are using some illegal > protocols. Yes. > According to the tcpdump man page, bootp is not accepted as a protocol. > > smtp should be specified as "tcp port smtp". Yes. BOOTP runs atop UDP, SMTP runs atop TCP, and neither UDP nor TCP have a "protocol" field, like Ethernet and IP, which do (the packet type field in Ethernet, and the protocol field in IP), so you can say "arp" or "not arp", which test the Ethernet packet type field when capturing on Ethernet, can can say "icmp" or "not icmp", which test the IP protocol field, but you can't say "smtp" or "not smtp" or "bootp" or "not bootp". Instead, tests for BOOTP and SMTP have to test the port number fields, so, as you note, testing for SMTP would be done with "tcp port smtp" if the services database used by your machine maps "smtp" to 25 (otherwise, you have to say "tcp port 25"). Similarly, there are BOOTP server and client ports, so you could test for "udp port bootps or udp port bootpc" (or, if the services database doesn't map "bootps" to 67 and "bootpc" to 68, "udp port 67 or udp port 68").
Powered by MHonArc 2.6.10