Kebin wrote: >I am running into a confusing problem wit bit masking in ethereal >0.9.12 on freebsd 4.8. > >What I want to do is look at the bits 0 - 5 in the 1st octet of the UDP >payload and see if it is equal to 0x02. My display filter is: > > udp[8] & 0x1f = 2 > >When I apply this, I get an error box that reads: > The string "&" was unexpected in this context > >Does some one know what i am doing wrong? This filter works in tcpdump
It's not a valid display filter. The syntax for display filters is described here: http://www.ethereal.com/docs/user-guide/ch03dispfilt.html It seems that "udp[8] & 0x1f = 2" is a valid capture filter (the syntax should be the same as for tcpdump, since the capture filtering is done in libpcap/WinPcap and not in Ethereal). The diplay filter syntax is not the same as the capture filter syntax. http://www.ethereal.com/faq.html#q5.5 It doesn't seem that it is possible to do a "bit-wise and", so I guess you have to try a filter such as: udp[8]==02 || udp[8]== 22 || udp[8] == 42 || udp[8] == 62 || udp[8] == 82 || udp[8] == A2 || udp[8] == C2 || udp[8] == E2
