Ethereal-users: Re: [Ethereal-users] Cannot filter on dst net?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jeff Davis <jdavis@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Nov 2005 13:34:55 -0800
Yup - that did it :)

I was trying to do a capture filter - basically capture all outbound bogon traffic to trace which host was infected with bagle - btw if there's a better way to do this please let me know.

Yeah part of my problem was using capture syntax in the display filter.  Mea Culpa.

Thanks

Wakefield, Thad M. wrote: 
Try:
   (tcp and (dst net 0 or ...))

Thad 

  
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx 
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jack Jackson
Sent: Thursday, November 17, 2005 3:23 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] Cannot filter on dst net?

I'm still not sure what you are trying to do - capture filter 
or display 
filter?

A capture filter of:  dst net 192.0.0.0 mask 255.0.0.0
works for me.

The tcpdump man page at 
http://www.ethereal.com/docs/man-pages/tcpdump.8.html in the 
description 
for the 'net' options says "(see networks(4) for details)".  
I can't find 
that at www.ethereal.com and the ones I found by Googling aren't very 
descriptive, so I'm not sure what is the legal syntax for 'net'.


At 08:53 AM 11/17/2005, Jeff Davis wrote:
    
Jack,

Uh, yup that is part of the problem.  n00bitis.  but still 
      
can;t get the 
    
dst net capture filter to work, even if I cut it down to a couple of 
networks.  Looking at the _expression_ list, there does not seem to be 
anything under the ip section to indicate the presence of a "net" 
operator.  Am I missing something really basic here or ???

Thanks

Jack Jackson wrote:

      
At 04:49 PM 11/16/2005, Guy Harris wrote:

        
Jeff Davis wrote:

          
This is the error message:
"net" was unexpected in this context.
The following display filter isn't a valid display filter:
(dst net 187 or tcp dst net 197)
            
tcpdump agrees with Ethereal:

        $ tcpdump -d '(dst net 187 or tcp dst net 197)'
        tcpdump: WARNING: en0: no IPv4 address assigned
        tcpdump: 'tcp' modifier applied to host

although it really means "'tcp' modifier applied to net" - TCP has 
neither hosts nor nets, those are properties of IP.

There's also *another* problem that I suspect is due to 
          
the filter being 
    
long (the error message might be too long), so it might be that no 
syntax error is displayed for your really long filter - 
          
but the long one 
    
gets the same error from tcpdump as '(dst net 187 or tcp 
          
dst net 197)' gets.
    
Try "dst net 0 or dst net 1 or..." instead.
          
But the error he got says "The following display filter 
        
isn't a valid 
    
display filter" - doesn't that mean he was trying to use 
        
capture filter 
    
syntax for a display filter?
        
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

    
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

  

-- 
Jefferson K. Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661-392-2110 ext 120