Ethereal: Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections

Ethereal-users: August 2006

Subject: Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 11 Aug 2006 11:22:52 +0200 (CEST)


> 1)
> how do I say OR ?
> AND is &&
>
> for example, I want to say
> tcp.dstport != 3389 "OR" tcp.srcport != 3389

How about ||

> 2)
> how do I see only the initial connections? and just incoming or just
> outgoing?

What are initial connections? On what protocol?

> is there an  easier way than this? (i'm not even sure if this is right)
>
> my ip is 192.168.0.2
>
> for incoming-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2
>
> for outgoing-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2

For TCP this looks alright to me, other protocol require their own filter.

> thanks

You're welcome,
Jaap

References:
- [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
  - From: james hanley

Prev by Date: Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
Next by Date: [Ethereal-users] Quick packet marking questions
Previous by thread: Re: [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?
Next by thread: [Ethereal-users] Quick packet marking questions
Index(es):
- Date
- Thread