tcpdump mailing list archives
Re: How can I create a filter to capture all ip packets?
From: Guy Harris <guy () netapp com>
Date: Thu, 27 Feb 2003 11:46:12 -0800
On Thu, Feb 27, 2003 at 10:33:50AM -0800, Jeff Wong wrote:
When I tried specifing the filter char *filter = "proto ip" and I tried to compile the filter it gave me an error.
"proto", by itself, isn't valid. To check for a network-layer protocol,
you'd have to say something such as "ether proto" or "fddi proto" or
"link proto" (they're all equivalent - libpcap already knows the
link-layer type, you don't have to tell it), so "ether proto \ip", etc.
would work. That's because you can also do "ip proto", to look for a
particular transport-layer protocol.
"ip" is a keyword, which is why you need the escape, so
char *filter = "ether proto \\ip";
would be needed.
However, "ip", by itself, is an abbreviation for "ether proto \ip", so
you could just do
char *filter = "ip";
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Error socket: Operation not permitted Jeff Wong (Feb 26)
- Re: Error socket: Operation not permitted Jeff Wong (Feb 26)
- How can I create a filter to capture all ip packets? Jeff Wong (Feb 27)
- Re: How can I create a filter to capture all ip packets? Guy Harris (Feb 27)
- How can I create a filter to capture all ip packets? Jeff Wong (Feb 27)
- <Possible follow-ups>
- Re: Error socket: Operation not permitted Steve Bonds (Feb 26)
- Re: Error socket: Operation not permitted Guy Harris (Feb 26)
- Re: Error socket: Operation not permitted Jeff Wong (Feb 26)