On Sat, Jan 13, 2001 at 11:35:57AM +0200, Pekka Savola wrote:
> STP printing is a very nice feature. But unless you're investigating
> problems with STP, they can be a pain in a switched environment; they
> appear like once a second or so and I haven't figured a way to turn them
> off.
STP packets are LLC packets with a DSAP of 0x42.
On Ethernet, LLC packets are 802.3 rather than D/I/X packets, so you'd
want to check for a length/type field value <= 1500:
ether[12:2] <= 1500
and, if you're unlucky enough to have 802.3 Netware on your network
(i.e., Netware packets with a length field rather than a type field, and
no LLC header), you'd also have to eliminate 802.3 packets whose first 2
bytes are 0xFF:
ether[14:2] == 0xffff
and then to check for a DSAP of 0x42 it's
ether[14] == 0x42
so try
ether[12:2] > 1500 or ether[14:2] == 0xffff or ether[14] != 0x42
I.e.:
(D/I/X Ethernet) or (802.3 Netware) or (not STP)
On FDDI and Token Ring, all packets (other than various control packets
specific to the medium, but, currently, libpcap doesn't put into BPF
programs code to accept only LLC frames, so I'll leave that out for now)
are LLC, so it'd be just
fddi[13] != 0x42
(13-byte MAC header) or, for non-source-routed packets,
tr[14] != 0x42
(14-byte MAC header, if no source route).
Not as convenient as "not stp", but at least there's a workaround.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
