> On Tue, Jan 09, 2001 at 03:11:20PM -0900, James A. Crippen wrote:
> > I want to see everything on eth0 except ipx traffic, so I say
> > tethereal -i eth0 "not ipx"
> > but I get
> > tethereal: Unable to parse filter string (parse error).
> > However if I say something like
> > tethereal -i eth0 "not ip"
> > then I get lots of IPX traffic, but no IP traffic, which is what I'd
> > expect. I have the same problem filtering NetBIOS, NBNS, and some
> > others. The converse is also true, I can't filter "ipx" or "netbios" or
> > the like.
>
> Try: tethereal -i eth0 -R not ipx
>
> Which uses a "read filter" instead of a "capture filter". A "read filter"
> uses [t]ethereal's filter syntax, while a capture filter uses libpcap's
> filter syntax (which is defined in the tcpdump man page).
...although read filters are more expensive than capture filters
(capture filters just involve interpreting a small
pseudo-machine-language program, display filters involve dissecting the
whole packet - and the interpreter for capture filters, on some
platforms, is inside the kernel, so that packets that don't pass don't
even get copied up to userland).
You could construct, by hand, an expression to test the appropriate
fields in the Ethernet and LLC header; the check would test whether the
2 bytes starting at an offset of 12 are less than or equal to 1500 and,
if so, testing whether the next byte is 0xE0. That would find Netware
packets using 802.2. (Other expressions would be needed for Netware
over D/I/X Ethernet - ETHERTYPE_IPX, 0x8137 - and *barf* Netware over
raw 802.3.)
See mail messages
http://www.ethereal.com/lists/ethereal-users/200008/msg00176.html
http://www.ethereal.com/lists/ethereal-users/200008/msg00178.html
http://www.ethereal.com/lists/ethereal-users/200008/msg00179.html
Gilbert's filter with 0xffff checks for Netware over raw 802.3; my
followup gives the expression for checking for 1500, and the DSAP test
would be
ether[14] == 0xe0
I think.
So to test for 802.3 IPX, it'd be
ether[12:2] <= 1500 && ether[14:2] == 0xffff
and to test for 802.2 IPX, it'd be
ether[12:2] <= 1500 && ether[14] == 0xe0
and to test for IPX-over-Ethernet, it'd be, I think
ether proto 0x8137
The Grand Unified IPX Filter would be, I think
ether[12:2] <= 1500 && (ether[14:2] == 0xffff || ether[14] == 0xe0) ||
ether proto 0x8137
Similarly, for NetBIOS, you'd do something similar, only checking for
0xF0 rather than 0xE0. NetBIOS doesn't have the 0xffff or "ether proto"
stuff, so that'd just be
ether[12:2] <= 1500 && ether[14] == 0xf0
NBNS is part of NetBIOS-over-TCP, and runs on UDP port 137, so the
expression to check for NBNS is just
udp port 137
or on some platforms
udp port netbios-ns
would do the job (if the "/etc/services" file or appropriate NIS maps
have "netbios-ns").
I may look into expanding libpcap's filter expression capabilities, for
libpcap 0.7, to let you specify some of those protocol types in a
somewhat more friendly fashion.
