Hello,
Thnks;
I had mad the following tests , and
these are my results :
since I am using udp and not tcp I had tried with udp[2:2] and not tcp[2:2]
when the filter is udp[2:2] > 8000 it works - give all packets sent to port
larger than 8000.
also udp[2:2] < 8000 gives the expected results.
When with conjunction with another than qualifier - it does ***NOT*** work.
like
udp[2:2] > 8000 and udp[2:2] <8010
or
(udp[2:2] > 8000 and udp[2:2] <8010)
or
( (udp[2:2] > 8000) and (udp[2:2] <8010) )
I don't have a clue why joining both conditions does not work.
Does anybody know ?
Regards,
John
On 7/13/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
>
>
> John Que <qwejohn@xxxxxxxxx>, Ethereal user support <ethereal-users@xxxxxxxxxxxx> schrieb am 13.07.05 17:49:54:
> >
> > Hello,
> > Is there a way to define in a capture filter so that it will catch
> > packets in a range of
> > ports (like port is greater than 1000 an less than 1010)?
> >
> > (I know to do it in a Display Filter, but trying port > 1000 or port
> > gt 1000 fails
> > with a syntax error in capture filter).
> >
>
> You may try:
>
> (tcp[0:2] > 1000 and tcp[0:2] < 1010) or (tcp[2:2] > 1000 and tcp[2:2] < 1010)
>
> Explanation:
>
> tcp[0:2] is the source port field in TCP (offset 0, length 2)
> tcp[2:2] is the destination port field in TCP
>
> I didn't tried it myself, so please report success or failure. If successful, I can add this filter string to the wiki.
>
> Regards, ULFL
>
> ______________________________________________________________
> Verschicken Sie romantische, coole und witzige Bilder per SMS!
> Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
>
>
