Uwe,
Gilbert has included the correct syntax below for looking for subnetsm -
this is defintely the way to go.
If you did however insist on using the substring syntax, you would need
to use the following:
"ip[12:3] == C0:A8:01 || ip[16:3] == C0:A8:01"
(which is equivalent to "ip.addr == 192.168.1.0/24" )
The fieldds ip.src,ip.dst and ip.addr are "special" and can't be indexed
directly. Hence I had to index to the source and dest address field
offset (12 and 16 respectively) in the IP packet as shown above.
Unfortunately (and the manual isn't all that clear on this) though
integers are able to be represented by "decimal, octal, or hexadecimal",
this doesn't apply to the byte values in the substring. These have to be
hex (also shown above)
(Of course, the converse is true, and you can use hex in the index,
so "ip[0x0C:0x03] == C0:A8:01 || ip[0x10:0x03] == C0:A8:01" ,is also a
valid expression of the above expression)
Regards, Martin
Martin Visser, CISSP
Network and Security Consultant
Consulting & Integration
Technology Solutions Group - HP Services
410 Concord Road
Rhodes NSW 2138
Australia
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visserAThp.com
This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.
-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Gilbert Ramirez
Sent: Saturday, 22 October 2005 5:02 AM
To: Ethereal development
Subject: Re: [Ethereal-dev] decimals not accepted in substrings - can
youconfirm a bug?
ip.addr is an IPv4 address. It's different from an integer, or even a
series of integers. IPv4 types allow comparisons with dotted-quad
addresses (x.x.x.x) or addresses in CIDR notation, or strings which
represent DNS names.
ip.host is a string which represents only the DNS name.
For filtering on a sub-net, use CIDR notation:
ip.addr == 192.168.1.0/24
--gilbert
On 10/21/05, Uwe Galle <galle@xxxxxxxxxxx> wrote:
>
> Hi,
>
> I am trying to do a very simple thing: Build a display filter with a
"net"
> equivalent like the key word available with capture filters. But this
> seems to be difficult.
>
> I tried to use the substring operator: ip.host[0:3]==192:168:1.
> According to the Ethereal manual this should work: "You can express
> integers in decimal, octal, or hexadecimal" (Etherreal User's Guide /
> Working with captured packets / Building display filter expressions /
Combining expressions).
>
> But Ethereal does not accept decimals in substrings: "192:168:1 is
> not a valid byte string". Why? It is so easy to build capture filters
> with common IP addresses as network addresses but it seems to be
> impossible with display filters. I didn't find any information in the
manual, FAQ or mailing list.
> Is there another way to build display filters with common IP addresses
> as network addresses?
>
> By trying to find a way to do that I was confused by the ip.host and
> ip.addr field in the Ethereal documentation
> (http://www.ethereal.com/docs/dfref/i/ip.html). The IP documentation
> of Etherreal indicates that ip.host and ip.addr are in fact the same
> fields
> (http://wiki.ethereal.com/Internet_Protocol?action=show&redirect=IP):
> "Show only the IP-based traffic to or from host 192.168.0.10:
> ip.addr==192.168.0.10 (below "Display Filter"). But in the filter
> expression dialog box these two fields behave differently: They don't
> allow the same operators. Additionally ip.host allows a range but
> ip.addr does not. I didn't find an explanation for that. Furthermore,
> I expected there is also an ip.net field if there are the fields
> ip.addr and ip.host. But there isn't one. Could you explain this a
little bit, please?
>
> Thanks,
> Uwe Galle
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
>
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
