Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: Re: [Ethereal-users] Display Filter and Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Tue, 08 Mar 2005 13:51:46 -0500
>On Mon, 2005-03-07 at 02:47, Eric Lam, Fu Wa wrote:
>> I am new to Ethereal (0.10.7). I set up a display filter
>> (mgcp.rsp.rspcode >= 500 and mgcp.rsp.rspcode <= 530 and
>> mgcp.rsp.rspcode != 501 and mgcp.rsp.rspcode != 510). Would anyone
>> teach me how to setup the capture filter so that only the traffic with
>> (mgcp.rsp.rspcode >= 500 and mgcp.rsp.rspcode <= 530 and
>> mgcp.rsp.rspcode != 501 and mgcp.rsp.rspcode != 510) will be captured.
>> Many thanks.



It may be painful to do.  But you *may* be able to do this by using the binary AND feature of tcpdump syntax.  For example "tcp[13:1] & 3 != 0"  will catch all SYN and FIN packets.

You may be able to craft such a filter.  But if you have the disk space, you may want to filter this in Ethereals display filter

hsb