On May 12, 2010, at 11:37 PM, 刘延君 wrote:
> Hello:
> In this page,I found a example,mybe have problem.
> http://wiki.wireshark.org/CaptureFilters
>
> (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
> It should be
> (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
Yes - as Jaap noted, it's now fixed. Thanks.
Note also that right after that example is a somewhat easier filter to use for
that:
tcp portrange 1501-1549
which also has the advantage that, in versions of libpcap that support IPv6
(which newer ones do by default - and in some systems with older libpcaps the
version that's shipped with the system might have IPv6 support built in), it
checks for both TCP-over-IPv4 and TCP-over-IPv6 packets with port numbers in
that range.
I.e., the only reason why anybody should use
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2]
< 1550)
rather than
tcp portrange 1501-1549
is that their system, or their Wireshark, is using libpcap 0.9.0 or earlier.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
