On Thu, Feb 27, 2003 at 10:33:50AM -0800, Jeff Wong wrote:
> When I tried specifing the filter char *filter = "proto ip" and I
> tried to compile the filter it gave me an error.
"proto", by itself, isn't valid. To check for a network-layer protocol,
you'd have to say something such as "ether proto" or "fddi proto" or
"link proto" (they're all equivalent - libpcap already knows the
link-layer type, you don't have to tell it), so "ether proto \ip", etc.
would work. That's because you can also do "ip proto", to look for a
particular transport-layer protocol.
"ip" is a keyword, which is why you need the escape, so
char *filter = "ether proto \\ip";
would be needed.
However, "ip", by itself, is an abbreviation for "ether proto \ip", so
you could just do
char *filter = "ip";
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
