ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] capture filters - whats wrong with 'not ether proto arp'

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 23 Feb 2002 15:17:42 -0800
On Sat, Feb 23, 2002 at 04:06:25PM -0700, jim cromie wrote:
> from above, I infer that ARP is an Ethernet II protocol.

It is a protocol that runs, on Ethernet, atop Ethernet II.

> 'not ether proto arp'        -> unable to parse filter string  (parse error)
> 'not ether proto ARP'    ->  "        "        "        "        "    
>     (unknown ether proto ARP)
> 
> 'not ip proto ARP'        -> "    (unknown ip proto ARP)
> 'not ip proto GRE'        -> works.
> 
> 'not ip proto 0x0806'    -> works
> 
> 
> so I conclude :
> 
> filtering IP protocols by name works (ex. GRE), but not for Ethernet 
> protocols.
> 
> or am I missing something ?

Yes, you're missing a backslash. :-)

To quote the tcpdump man page (which is the man page that documents the
filter expression syntax supported by libpcap; libpcap is the library
used by tcpdump, Ethereal, and a number of other programs to do packet
capture, and that includes doing filtering when capturing):

	expression
	      selects  which  packets  will  be  dumped.   If  no
	      expression is given, all packets on the net will be
	      dumped.	Otherwise, only packets for which expres-
	      sion is `true' will be dumped.

		...


	      ether proto protocol
		     True  if  the packet is of ether type proto-
		     col.  Protocol can be a  number  or  a  name
		     like  ip,	arp, or rarp.  Note these identi-
					       ^^^^^^^^^^^^^^^^^^
		     fiers are also keywords and must be  escaped
		     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		     via  backslash  (\).   [In  the case of FDDI
		     ^^^^^^^^^^^^^^^^^^^
		     (e.g., `fddi protocol  arp'),  the  protocol
		     identification  comes from the 802.2 Logical
		     Link Control (LLC) header, which is  usually
		     layered  on top of the FDDI header.  Tcpdump
		     assumes,  when  filtering	on  the  protocol
		     identifier, that all FDDI packets include an
		     LLC header, and that the LLC  header  is  in
		     so-called SNAP format.]

so:

	% tcpdump 'not ether proto arp'
	tcpdump: syntax error

but

	% tcpdump 'not ether proto \arp'
	tcpdump: listening on fxp0

So if you use a filter expresion of

	not ether proto \arp

rather than

	not ether proto arp

that'll work.

Then again, as they note, "arp" is a keyword; to quote the man page
again:

	      ip, arp, rarp, decnet, iso
		     Abbreviations for:
			  ether proto p
		     where p is one of the above protocols.

so just

	not arp

will do the same thing as

	not ether proto \arp

"gre" is not a keyword in the libpcap grammar, so it doesn't have to be
escaped with a backslash, unlike "arp".
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube