Yep, Guy's right. Sorry, read the question too quick.
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Friday, January 20, 2006 1:29 AM
To: Ethereal user support
Cc: 'Ivan Stamenkovic'
Subject: Re: [Ethereal-users] Capture Filter for ICMPs
DAIGLE, ANDREW PAUL wrote:
>> -----Original Message-----
>> From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Ivan Stamenkovic
>> Sent: Thursday, January 19, 2006 3:43 PM
>> To: ethereal-users@xxxxxxxxxxxx
>> Cc: Ivan Stamenkovic
>> Subject: [Ethereal-users] Capture Filter for ICMPs
>>
>> Hello,
>>
>> I need a filter to stop capturing both ICMP Echo (ping) requests AND
replies
>> from a specific addresses. How to?
>
> not icmp and not host x.x.x.x
...which stops all ICMP packets and all packets from host x.x.x.x.
If you want to stop all ICMP packets to or from host x.x.x.x, but accept
ICMP packets to and from other hosts, and all non-ICMP packets (whether
they're to or from that host or not), it'd be
not (icmp and host x.x.x.x)
and if you want to stop all ICMP Echo and Echo Reply packets to or from
host x.x.x.x, and accept ICMP packets to and from other hosts, all
non-ICMP packets, *and* non-Echo and non-Echo Reply ICMP packets to or
from host x.x.x.x, it'd be
not ((icmp[icmptype] == icmp-echo or icmp[icmptype] ==
icmp-echoreply)
and host x.x.x.x)
with sufficiently recent versions of libpcap/WinPcap (older versions
don't support using "icmptype" as an offset/length value, and
"icmp-echo" and "icmp-echoreply" as comparison values, in expressions; I
don't know when that was introduced, but it was a while ago, I think).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
