On May 11, 2007, at 3:06 PM, Karen Isaacson wrote:
ip.addr == 192.168.155.12 is the string I have used to get what I am
looking for, along with what is needed to filter out everything but
port
80 traffic. What I get back is all traffic for 192.168.155.12, and
192.168.155.120, and 192.168.155.121, etc. on port 80.
What do you mean by "traffic *for* XXX.XXX.XXX.XXX"?
"ip.addr == 192.168.155.12" means "match all packets that have an
'ip.addr' field with the value 192.168.155.12". IP packets normally
have two "ip.addr" fields, one with the value of the source address,
and one with the value of the destination address, so "ip.addr ==
192.168.155.12" will match all packets that are sent *to*
192.168.155.12 *AND* all packets that are sent *from* 192.168.155.12.
I.e., a packet sent from 192.168.155.12 to 192.168.155.120 will be
matched by "ip.addr == 192.168.155.12"; it's supposed to be matched by
that filter. Similarly, a packet sent from 192.168.155.12 to
192.168.155.12 will also match, as will a packet sent from
192.168.155.121 to 192.168.155.12 or sent from 192.168.155.12 to
192.168.155.121.
If by "traffic for XXX.XXX.XXX.XXX" you mean "traffic sent *to*
XXX.XXX.XXX.XXX", you want "ip.dst == XXX.XXX.XXX.XXX". However, that
will get you only half of the traffic involving XXX.XXX.XXX.XXX - you
won't see any of the replies from XXX.XXX.XXX.XXX.
I have seen syntax like (ip.addr == 192.168.155.12 or ip.addr ==
192.168.155.11) work so I wonder if I need to add parentheses.
Where would you add parentheses to "ip.addr == 192.168.155.12"?