Ethereal-users: [Ethereal-users] capture filters - whats wrong with 'not ether proto arp'

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: jim cromie <jcromie@xxxxxxxxxx>
Date: Sat, 23 Feb 2002 16:06:25 -0700
hi folks,

my 1st day using ethereal - very cool

w/o filters, I get ARP traffic from my dsl router, Id like to filter them,
the ARP packets of dis-interest show as:

Frame 1 (60 on wire, 60 captured)
   Arrival Time: Feb 23, 2002 15:40:10.856992000
   Time delta from previous packet: 0.000000000 seconds
   Time relative to first packet: 0.000000000 seconds
   Frame Number: 1
   Packet Length: 60 bytes
   Capture Length: 60 bytes
Ethernet II
   Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
   Source: 00:04:9a:87:7b:7f (cisco)
   Type: ARP (0x0806)
   Trailer: 00000000000000000000000000000000...
Address Resolution Protocol (request)
   Hardware type: Ethernet (0x0001)
   Protocol type: IP (0x0800)
   Hardware size: 6
   Protocol size: 4
   Opcode: request (0x0001)
   Sender hardware address: 00:04:9a:87:7b:7f
   Sender protocol address: 10.0.0.1
   Target hardware address: 00:00:00:00:00:00
   Target protocol address: 10.0.0.243

from above, I infer that ARP is an Ethernet II protocol.


'not ether proto arp'        -> unable to parse filter string  (parse error)
'not ether proto ARP' -> " " " " " (unknown ether proto ARP) 

'not ip proto ARP'        -> "    (unknown ip proto ARP)
'not ip proto GRE'        -> works.

'not ip proto 0x0806'    -> works


so I conclude :
filtering IP protocols by name works (ex. GRE), but not for Ethernet protocols. 

or am I missing something ?

tia.
jimc