Manuals / Lucent Technologies / Computer Equipment / Network Card

Lucent Technologies Ethereal manual Display Filter Logical Operations

Models: Ethereal

1 199

Download 199 pages 450 b

Page 121

Working with captured packets

Table 6.4. Display Filter Logical Operations

English	C-like	Description and example

and	&&	Logical AND
		Logical AND
		ip.addr==10.0.0.5 and tcp.flags.fin

or		Logical OR
		Logical OR
		ip.addr==10.0.0.5 or ip.addr==192.1.1.1

xor	^^	Logical XOR
		Logical XOR
		tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not	!	Logical NOT
		Logical NOT
		not llc

[...]		Substring Operator
		Substring Operator
		Ethereal allows you to select subsequences of a sequence in rather elaborate ways.
		After a label you can place a pair of brackets [] containing a comma separated list of
		range specifiers.
		eth.src[0:3] == 00:00:83
		The example above uses the n:m format to specify a single range. In this case n is the
		beginning offset and m is the length of the range being specified.
		eth.src[1-2] == 00:83
		The example above uses the n-m format to specify a single range. In this case n is the
		beginning offset and m is the ending offset.
		eth.src[:4] == 00:00:83:00
		The example above uses the :m format, which takes everything from the beginning of
		a sequence to offset m. It is equivalent to 0:m
		eth.src[4:] == 20:20
		The example above uses the n: format, which takes everything from offset n to the end
		of the sequence.

107

Image 121

Lucent Technologies Ethereal manual Display Filter Logical Operations

Contents

V2.0.2 16376 for Ethereal Ethereal Users GuideEthereal Users Guide V2.0.2 16376 for Ethereal Page Table of Contents Page Page Page Foreword PrefaceWho should read this document? Acknowledgements About this document Where to get the latest copy of this document? Providing feedback about this document Preface Xiv Features What is Ethereal?Introduction Some intended purposesMany protocol decoders Export files for many other capture programsOpen Source Software What Ethereal is not Unix Platforms Ethereal runs onLinux Microsoft Windows Where to get Ethereal? Rose by any other name Brief history of Ethereal Development and maintenance of Ethereal FAQ Reporting problems and getting helpWebsite Wiki Mailing ListsReporting Crashes on UNIX/Linux platforms Reporting ProblemsReporting Crashes on Windows platforms Introduction Introduction Building and Installing EtherealDownload all required files Obtaining the source and binary distributionsExample 2.1. Building GTK+ from source Before you build Ethereal under UnixExample 2.2. Building and installing libpcap Example 2.5. Installing debs under Debian Unix Building Ethereal from source underPage Installing from rpms under RedHat and alike Installing the binaries under UnixInstalling from debs under Debian Troubleshooting during the install on Unix Building from source under Windows Install Ethereal Installing Ethereal under WindowsInstall WinPcap Update WinPcap Update EtherealUninstall Ethereal Uninstall WinPcap Building and Installing Ethereal User Interface Start Ethereal Main window Main windowUser Interface Current program state and the captured data Menu Menu Item Accelerator Description Open File menuOpen Recent MergeSave As Menu Item Accelerator Description SaveFile Set List FilesPdml file Menu Item Accelerator Description ExportExport Selec Ted Packet BytesEdit menu Marking packets for details User InterfaceView Menu View menu items View menuSeconds Since Beginning of Capture and Seconds Since Fields Time of Day, Date and Time of DayPrevious Packet are mutually exclusive BeginningZoom Out Menu Item Accelerator Description ZoomNormal Size Resize AllGo menu Menu Item Accelerator Description Last Packet Capture menu Saving filters Analyze Menu Analyze menu items Analyze menuTCP FollowStatistics menu items Statistics menuMessage 225Types VoIP Calls10. The Help Menu Help menu items Help menuPage 11. The Main toolbar Main toolbar items Main toolbarGo Forward Go BackFirst Packet Go To Last PackTion 9.3, Packet colorization 12. The Filter toolbar Filter toolbar13. The Packet List pane Packet List pane14. The Packet Details pane Packet Details pane15. The Packet Bytes pane Packet Bytes pane17. The initial Statusbar StatusbarUser Interface Capturing Live Network Data Prerequisites Capture Options dialog box Start CapturingPackets/s Capture Interfaces dialog boxPrepare Capture frame Capture Options dialog boxInterface Link-layer header type IP addressBuffer size n megabytes Capture packets in promiscuousStop Capture... frame Capture Files frameDisplay Options frame Name Resolution frameButtons Capture files and file modes Capture file mode selected by capture optionsMultiple files, ring buffer Multiple files, continuousLink-layer header type Example 4.2. Capturing all telnet traffic not from Filtering while capturingSrcdst host host Ether srcdst host ehostSrcdst net net mask Gateway host hostMasklen len Tcpudp srcdst port portStop the running capture While a Capture is runningRestart a running capture Using the toolbar itemCapturing Live Network Data File Input / Output and Printing Open Capture File dialog box Open capture filesInput File Formats Page Save Capture File As dialog box Saving captured packetsTip Output File Formats Merge with Capture File dialog box Merging capture filesPage List Files dialog box File SetsExport as Plain Text File dialog box Exporting dataExport as PostScript File dialog box Export as Psml File dialog box Export as CSV Comma Seperated Values File dialog boxExport as Psml File dialog box Export as Pdml File dialog boxExport Selected Packet Bytes dialog box Export selected packet bytes dialog boxPage Print dialog box Printing packetsPrinter Lpr -Pmypostscript 10. The Packet Range frame Packet Range frame11. The Packet Format frame Packet Format frameFile Input / Output and Printing Viewing packets you have captured Working with captured packetsFunction overview of the pop-up menus Decode As Lis Byt Menu Description TailNew Window Resolve name CopyFollow TCP Stream Mark Packet toggleProtocol Properties Filter Field ReferenceGo to Corresponding Packet Export Selected Packet Bytes Filtering on the TCP protocol Filtering packets while viewingPage Display filter fields Building display filter expressionsComparing values Display Filter comparison operatorsDisplay Filter Field Types Combining expressionsDisplay Filter Logical Operations Common mistake Filter Expression dialog box Filter Expression dialog boxValue CancelPredefined values RangeCapture Filters and Display Filters dialog boxes Defining and saving filtersDelete NewFilter Filter nameFind Packet dialog box Finding packetsDisplay filter Hex ValueFind Previous command Find Next commandDown Go to a specific packet Marking packets Packet time referencing Time display formats and time referencesPage Working with captured packets 119 Advanced Features Follow TCP stream dialog box Following TCP streamsPage Reassembling is disabled by default What is it?Packet Reassembling How Ethereal handles itEthernet name resolution MAC layer Name ResolutionIP name resolution network layer TCP/UDP port name resolution transport layer IPX name resolution network layerAdvanced Features 126 Statistics Summary window Summary windowPage Protocol Hierarchy window Protocol Hierarchy windowPage Endpoints What is an Endpoint?Endpoints window Protocol specific Endpoint List windows Conversations What is a Conversation?Conversations window Protocol specific Conversation List windowsGraphs IO Graphs windowAxis Page Service Response Time DCE-RPC window Service Response TimeFibre Channel 225 RAS DCE-RPC Statistic for ... window Protocol specific statistics windows Statistics 140 Customizing Ethereal Example 9.1. Help information available from Ethereal Start Ethereal from the command lineDuration ue Filesize ueFilesizeue DurationueCapture buffer size Win32 OnlyFont Preference/recent settingsName resolving flags Ethereal -o mgcp.displaydissecttreeTRUESavefile Time stamp formatCapture link type Statistics-stringColoring Rules dialog box Packet colorizationChoose color dialog box Using color filters with Ethereal Control Protocol dissection Enabled Protocols dialog boxPage Decode As dialog box User Specified DecodesDecode As Show dialog box Show User Specified DecodesPreferences dialog box PreferencesCustomizing Ethereal 154 Customizing Ethereal 155 Table A.1. Configuration files and folders overview Appendix A. Configuration and other Files and FoldersPreferences/ethereal.conf Windows foldersConfiguration files and folders overview. If an address is DisabledprotosWindows profiles Windows foldersPlugins folder Windows NT/2000/XP roaming profiles 98/ME with enabled user proWindows temporary folder 95/98/MEConfiguration and other Files Folders 161 Appendix B. Protocols and Protocol Fields Appendix C. Related command line tools Tcpdump Capturing with tcpdump for viewing with Ethereal Tethereal Terminal-based Ethereal Example C.1. Help information available from capinfos Capinfos Print information about capture filesExample C.2. Help information available from editcap Editcap Edit capture filesRelated command line tools Encap type Time adjustmentCapture type SnaplenExample C.3. Help information available from mergecap Mergecap Merging multiple capture files into one171 Example C.4. Simple example of using mergecap Example C.5. Help information available for text2pcap Text2pcap Converting Ascii hexdumps to network capturesHexoct FilenameSrcport destport L3pidHow to use idl2eth Why do this?Prerequisites to using idl2eth Idl2eth Creating dissectors from Corba IDL filesTodo Limitations Related command line tools 179 GNU General Public License Appendix D. This Documents License GPL181 182 183 184 185