On Mon, Mar 04, 2002 at 02:13:27AM -0800, laila khreisat wrote:
> I am trying to capture IP packets only,
The tcpdump man page (which documents the filter expression syntax of
libpcap - both tcpdump and Ethereal use libpcap to capture packets, and
both have the same capture filter syntax) says:
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be
dumped. Otherwise, only packets for which expres-
sion is `true' will be dumped.
...
The expression consists of one or more primitives.
Primitives usually consist of an id (name or num-
The expression consists of one or more primitives.
Primitives usually consist of an id (name or num-
ber) preceded by one or more qualifiers. There are
three different kinds of qualifier:
type qualifiers say what kind of thing the id
name or number refers to. Possible types
are host, net and port. E.g., `host foo',
`net 128.3', `port 20'. If there is no type
qualifier, host is assumed.
...
Allowable primitives are:
...
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
fiers are also keywords and must be escaped
via backslash (\). [In the case of FDDI
(e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually
layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol
identifier, that all FDDI packets include an
LLC header, and that the LLC header is in
so-called SNAP format.]
...
ip, arp, rarp, decnet, iso
Abbreviations for:
ether proto p
where p is one of the above protocols.
so a capture filter to capture only IP packets would just be "ip".
> or filter the captured packets so as to get IP packets only.
If you've already captured packets that include both IP and non-IP
packets, a display filter to show only IP packets would also be "ip".
