Ethereal-users: Re: [Ethereal-users] beginner question on filtering using tethereal
On Sep 15, 2003, at 5:04 PM, Steve Pringle wrote:
I'd like to look at all SIP, RDP and UDP traffic on a solaris
box. What is the command line for tethereal that will show only the
SIP, RDP and UDP traffic?
From a brute force perspective I've tried excluding just the telnet
traffic, but still got telnet traffic.
i.e.,
tethereal -R "not telnet"
Capturing on hme0
0.269879 209.65.103.8 -> 135.229.162.7 TCP 2431 > telnet [ACK]
Seq=1759884894 Ack=2107991995 Win=9301 Len=0
0.463473 209.65.103.8 -> 135.229.162.7 TCP 2431 > telnet [ACK]
Seq=1759884894 Ack=2107992001 Win=9295 Len=0
What do you mean by "telnet traffic"?
"not telnet" means "not a packet that includes Telnet data". The
packets in question are ACK-only packets - note that the payload length
is 0 ("Len=0"), which means that there's no data in the packet. Even
though those packets might be going to or from the Telnet port, they
are *not* considered to be Telnet packets by the Ethereal dissection
code, so a read filter of "not telnet" will not exclude them.
If you want to exclude even packets that contain no Telnet data, you'd
have to do it based on the TCP port number for Telnet (which means you
could do it with a capture filter).
To show only SIP data, the filter would have to be "sip", and that'd
have to be a read filter, not a capture filter, unless *ALL* SIP
traffic is either to or from port 5060.
I don't know what protocol you're referring to as "RDP", so I don't
know what filter you'd use for that.
To show UDP traffic, either the display or capture filter "udp" would
work.
To show SIP TCP traffic, and all UDP traffic, you'd do "tethereal -R
"sip or udp".