On Mon, Feb 16, 2004 at 09:04:22PM -0600, Phil Reinemann wrote:
> The documentation says to use periods for the delimiters.
> I found that on WIN32 (W98SE) that to get a capture filter to work for a
> MAC one must use the following:
> "ether host tt:uu:ww:xx:yy:zz" minus the quotation marks. In other words,
> use colons, even though Ethereal documentation shows MACs with periods.
To which Ethereal documentation *on capture filters* are you referring?
Note that the "ethereal-filter" man page describes display filters,
*not* capture filters - and that it says
Ethernet addresses, as well as a string of bytes, are
represented in hex digits. The hex digits may be
separated by colons, periods, or hyphens:
fddi.dst eq ff:ff:ff:ff:ff:ff
ipx.srcnode == 0.0.0.0.0.1
eth.src == aa-aa-aa-aa-aa-aa
(Ethereal display filters allow any of those; libpcap capture filters
require colons).
> "ether" and "host" also both seem to be necessary.
The tcpdump man page discusses that part:
ether host ehost
True if either the ethernet source or desti-
nation address is ehost.
_______________________________________________
Ethereal-users mailing list
[EMAIL PROTECTED]
http://www.ethereal.com/mailman/listinfo/ethereal-users
