Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] decimals not accepted in substrings - can you confirm a bug?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>
Date: Fri, 21 Oct 2005 14:02:28 -0500
ip.addr is an IPv4 address. It's different from an integer, or even a
series of integers. IPv4 types allow comparisons with dotted-quad
addresses (x.x.x.x) or addresses in CIDR notation, or strings which
represent DNS names.

ip.host is a string which represents only the DNS name.

For filtering on a sub-net, use CIDR notation:

ip.addr == 192.168.1.0/24

--gilbert

On 10/21/05, Uwe Galle <galle@xxxxxxxxxxx> wrote:
>
> Hi,
>
> I am trying to do a very simple thing: Build a display filter with a "net"
> equivalent like the key word available with capture filters. But this seems
> to be difficult.
>
> I tried to use the substring operator: ip.host[0:3]==192:168:1. According to
> the Ethereal manual this should work: "You can express integers in decimal,
> octal, or hexadecimal" (Etherreal User's Guide / Working with captured
> packets / Building display filter expressions / Combining expressions).
>
> But Ethereal  does not accept decimals in substrings: "192:168:1 is not a
> valid byte string". Why? It is so easy to build capture filters with common
> IP addresses as network addresses but it seems to be impossible with display
> filters. I didn't find any information in the manual, FAQ or mailing list.
> Is there another way to build display filters with common IP addresses as
> network addresses?
>
> By trying to find a way to do that I was confused by the ip.host and ip.addr
> field in the Ethereal documentation
> (http://www.ethereal.com/docs/dfref/i/ip.html). The IP
> documentation of Etherreal indicates that ip.host and ip.addr are in fact
> the same fields
> (http://wiki.ethereal.com/Internet_Protocol?action=show&redirect=IP):
> "Show only the IP-based traffic to or from host 192.168.0.10:
> ip.addr==192.168.0.10 (below "Display Filter"). But in the filter expression
> dialog box these two fields behave differently: They don't allow the same
> operators. Additionally ip.host allows a range but ip.addr does not. I
> didn't find an explanation for that. Furthermore, I expected there is also
> an ip.net field if there are the fields ip.addr and ip.host. But there isn't
> one. Could you explain this a little bit, please?
>
> Thanks,
> Uwe Galle
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube