ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] How to filter IPX

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 18 Feb 2002 13:37:00 -0800
On Mon, Feb 18, 2002 at 11:00:02AM +0100, Andreas Moroder wrote:
> in our Network all machines should be set to use IPX 802.3. Our Fluke tells 
> me that there are machines that send out IPX Ethernet II and IPX 802.2 
> Packets, but it does not tell me who.
> 
> Can anyone please tell me how I can set the filters to see only machines 
> sending this types of frames ?

First, I'll discuss capture filters, which control what packets Ethereal
captures, rather than what packets Ethereal displays in a capture that
you already have.

IPX-over-Ethernet II frames have an Ethernet type/length field value of
0x8137 (which is a type value).

IPX-over-802.2 frames have an Ethernet type/length field value that's <=
1500 (so it's a length value), and an 802.2 LLC header with a
destination SAP of 0xE0.

IPX-over-802.3 frames have an Ethernet type/length field value that's <=
1500 (so it's a length value), followed by two bytes of 0xFF.

A capture filter expression to capture only IPX-over-Ethernet II packets
would be

	ether proto 0x8137

which would check for an Ethernet type field value of 0x8137.

There's no built-in expression syntax, in the libpcap/WinPcap parser, to
check for an 802.3 frame ("802.3 frame" meaning "frame with a length
field rather than a type field", not "IPX-over-802.3 frame" -
802.2-over-802.3 frames, as well as IPX-over-802.3 frames, are both
802.3 frames), so an expression to check for that would have to be
constructed as an explicit expression, as per the "expr relop expr"
portion of the "expression" section of the tcpdump man page.

That would be

	ether[12:2] <= 1500

to check whether the Ethernet type/length field is in the range for a
length rather than a type.

If that test passes, a test for an IPX-over-802.2 frame would test the
first byte *after* the Ethernet header, i.e.

	ether[14:1] = 0xE0

So a capture filter expression that would capture IPX-over-Ethernet II,
and IPX-over-802.2, but not IPX-over-raw-802.3 frames, would be

	ether proto 0x8137 || (ether[12:2] <= 1500 && ether[14:1] = 0xE0)

Now I'll discuss display filters, if you already have a capture that
includes IPX-over-raw-802.3 packets as well as IPX-over-Ethernet II and
IPX-over-802.2 packets.

A *display* filter that would match IPX-over-Ethernet II packets and
IPX-over-802.2 packets, but not IPX-over-raw-802.3 packets, would be

	eth.type == 0x8137 || llc.dsap == 0xe0
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube