On Thu, 2008-07-31 at 23:26 -0400, U. George wrote: > > > > The filter "port domain" on an Ethernet interface (on my box) generates > > a BPF filter that looks for Ethertype 0x86dd for IPv6 OR 0x0800 for > > IPv4. It doesn't look for PPPoE, VLANs, GRE or anything else, because > > you didn't specify that in your filter. > > > Actually I didnt specify 0x86dd or 0x0800 either. I did specify device > eth1 AND i did specify port domain. I dont care for ethertype filtering > as it is not germane. > If PPPoE has port settings, then PPPoE packets should be filtered also. > If VLANS, or GRE, or anything else has port designations, then that > should be included in the filtering.
I didn't say that you did; I told you what happens when you specify that filter. That explains the behaviour that you saw, which is expected. > From a users point of view, if tcpdump can print the packet with out > any ethertype options, then one should also be able to compare/match > pieces of the data stream without the use of or knowledge of ethertype > specifics. The only item of significance ( for me ) is "port domain" > from the specific interface. From my point of view, ethertype is wild, > ip is wild, protocol is wild, and everything else is wild - with the > exception of the port designation. > Its just intuitive. That may be true, but it isn't the way tcpdump works. Perhaps you should try Wireshark, you may find its 'display filters' more user friendly. http://www.wireshark.org Stephen. -- ----------------------------------------------------------------------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 ----------------------------------------------------------------------- - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.