Re: maybe a little error in web page

[Guy Harris <guy () alum mit edu>]

On May 12, 2010, at 11:37 PM, 刘延君 wrote:

> Hello:
> In this page，I found a example，mybe have problem.
> http://wiki.wireshark.org/CaptureFilters
>  
> (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
> It should be
> (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

Yes - as Jaap noted, it's now fixed.  Thanks.

Note also that right after that example is a somewhat easier filter to use for that:

        tcp portrange 1501-1549

which also has the advantage that, in versions of libpcap that support IPv6 (which newer ones do by default - and in 
some systems with older libpcaps the version that's shipped with the system might have IPv6 support built in), it 
checks for both TCP-over-IPv4 and TCP-over-IPv6 packets with port numbers in that range.

I.e., the only reason why anybody should use

        (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

rather than

        tcp portrange 1501-1549

is that their system, or their Wireshark, is using libpcap 0.9.0 or earlier.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe