Wireshark mailing list archives
Re: a question on capture filter
From: Guy Harris <guy () alum mit edu>
Date: Mon, 24 Sep 2012 12:32:48 -0700
On Sep 24, 2012, at 9:33 AM, esolve esolve <esolvepolito () gmail com> wrote:
I want to capture packets with capture filter like:
host 138.56.169.25 and (not host 138.52.69.45) and (not ntp) and (not igmp)
so the packets I want to capture are with 138.56.169.25 as src/dst, but without 138.52.69.45 as src/dst, and
should not be ntp or igmp packets.
But the capture results are not as expected
Yes, the capture results are, instead, an error message saying "unknown host 'ntp'".
libpcap/WinPcap's filter syntax doesn't support directly checking for arbitrary protocols, only for some protocols; you
have to check for packets going to or from the UDP port for NTP to check for NTP packets.
Try
host 138.56.169.25 and (not host 138.52.69.45) and (not udp port ntp) and (not igmp)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- a question on capture filter esolve esolve (Sep 24)
- Re: a question on capture filter Christopher Maynard (Sep 24)
- Re: a question on capture filter Christopher Maynard (Sep 24)
- Re: a question on capture filter Guy Harris (Sep 24)
- Re: a question on capture filter Guy Harris (Sep 24)
- Re: a question on capture filter Christopher Maynard (Sep 24)