Ethereal: Re: [Ethereal-users] Display Filter and Capture Filter

Ethereal-users: March 2005

Subject: Re: [Ethereal-users] Display Filter and Capture Filter
From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Tue, 08 Mar 2005 13:51:46 -0500

>On Mon, 2005-03-07 at 02:47, Eric Lam, Fu Wa wrote:
>> I am new to Ethereal (0.10.7). I set up a display filter
>> (mgcp.rsp.rspcode >= 500 and mgcp.rsp.rspcode <= 530 and
>> mgcp.rsp.rspcode != 501 and mgcp.rsp.rspcode != 510). Would anyone
>> teach me how to setup the capture filter so that only the traffic with
>> (mgcp.rsp.rspcode >= 500 and mgcp.rsp.rspcode <= 530 and
>> mgcp.rsp.rspcode != 501 and mgcp.rsp.rspcode != 510) will be captured.
>> Many thanks.

It may be painful to do.  But you *may* be able to do this by using the binary AND feature of tcpdump syntax.  For example "tcp[13:1] & 3 != 0"  will catch all SYN and FIN packets.

You may be able to craft such a filter.  But if you have the disk space, you may want to filter this in Ethereals display filter

hsb

References:
- [Ethereal-users] Display Filter and Capture Filter
  - From: Eric Lam, Fu Wa
- Re: [Ethereal-users] Display Filter and Capture Filter
  - From: Jeff Heath

Prev by Date: Re: [Ethereal-users] Allianz Cornhill Licensing Information
Next by Date: [Ethereal-users] New Protocol Name-Newbie Question
Previous by thread: Re: [Ethereal-users] Display Filter and Capture Filter
Next by thread: Re: [Ethereal-users] Display Filter and Capture Filter
Index(es):
- Date
- Thread