Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?

[Guy Harris <guy@xxxxxxxxxxxx>]

james hanley wrote:
> -------------------
> The Ethereal project is being continued at a new site.  Please go to
> http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxxx
> Don't forget to unsubscribe from this list at
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -------------------
>
>
>
> ------------------------------------------------------------------------
>
> 1)
> how do I say OR ?
> AND is &&
>  
> for example, I want to say 
> tcp.dstport != 3389 "OR" tcp.srcport != 3389

The same way you do in Wireshark, as per the above, so I'm redirecting 
this to the wireshark-users list.

In Wireshark, just as AND is &&, OR is...

...||.

> 2)
> how do I see only the initial connections? and just incoming or just 
> outgoing?
>  
> is there an  easier way than this? (i'm not even sure if this is right)
>  
> my ip is 192.168.0.2
>  
> for incoming-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2

That's the correct filter to see attempts by other machines to connect 
to your machine - it matches packets that have SYN set and ACK not set 
(so it's the initial SYN) that are not coming from your machine.

> for outgoing-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2

Ditto.

No, there's no simpler expression (unless somebody's added a new field 
to the TCP dissector while I wasn't watching).