On Sat, Jun 01, 2002 at 08:37:59PM +0200, carlos Hidalgo wrote:
> I don�t know if this is a very easy question but I need to filter ieee
> 802.3 traffic and it seems as ethereal doesn�t support it.
"Support it" in what sense?
Ethereal can certainly distinguish between IEEE 802.3 and Ethernet II
traffic in an Ethernet capture, so it supports 802.3 in that sense.
If you have already captured the traffic, and want to have a display
filter that shows only 802.3 traffic, the filter
eth.len
should do it - 802.3 frames have a length field, but Ethernet II frames
don't, and that filter will show only frames with an 802.3 length field.
If you want to display only Ethernet II frames,
!eth.len
should do it, for the same reason - it'll show only frames that *don't*
have an 802.3 length field.
So Ethereal supports display filters that test whether an Ethernet frame
is an 802.3 frame or not.
The capture filters aren't part of Ethereal, they're part of libpcap;
Ethereal just calls libpcap to do packet capturing.
libpcap doesn't have a single filter operation to check for 802.3 or for
Ethernet II; however, as the difference between them is whether the
type/length field is <= 1500 (802.3) or > 1500 (Ethernet II), and as
libpcap capture filters can test arbitrary data in the Ethernet header,
an expression that would capture only 802.3 frames would be
ether[12:2] <= 1500
which tests whether the 2-byte big-endian field at an offset of 12 bytes
from the beginning of the Ethernet header - 12 is the offset of the
type/length field, and it's a 2-byte big-endian field - is <= 1500. An
expresion to capture only Ethernet II frames would then be
ether[12:2] > 1500
