Wireshark-users: Re: [Wireshark-users] filter to capture ospf pacets?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 02 Nov 2006 10:03:09 -0800

stan wrote:

Now, I really ought to learn something from this exercise. What does teh
proto keyword mean, and where can I look up values for it?

See the tcpdump man page, if you're running on a UN*X system - or, if "man tcpdump" at the command line doesn't work, see

	http://www.tcpdump.org/tcpdump_man.html

On Windows, see the WinDump man page:

	http://www.winpcap.org/windump/docs/manual.htm

(the main differences that will matter here are differences due to additional filtering capabilities being added to libpcap over time).

See the section that begins with

  expression

selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped.

That section describes the filter expressions supported by libpcap - and thus by applications that use it for filtering, such as tcpdump/WinDump and Wireshark/TShark.

"proto" refers to a variety of protocol type fields; in this case, it's referring to the IP protocol field. On UN*X systems, at least, you'll probably file a file "/etc/protocols" on your system, which has a list of protocol names and numbers; the names can be used instead of the numbers, e.g.:

	$ egrep ospf /etc/protocols
	ospf    89      OSPFIGP         # Open Shortest Path First IGP

which means "proto ospf" would be equivalent to "proto 89".

The *full* list of protocols can be found at

	http://www.iana.org/assignments/protocol-numbers