Prigge Scott wrote: > Using version 0.99.2, and am struggling to create a simple display > filter using byte offset notation. I want to simply capture traffic > where the first two bytes of the source address are 68.154.
Then you should be using a capture filter, not a display filter. > Shouldn't > this filter be as simple as ip[12:2]==68 154? No, the capture filter should be as simple as "ip src net 68.154.0.0/16". If you want to filter traffic you've *already captured*, *that* would be a display filter, and that would be, as Stephen Fisher noted, "ip.src == 68.154.0.0/16" > I've tried lots of > different permutations, but can't get any to work. I have created the > same offset filter in another product, Network Instruments Observer, and > I get the results I would expect. You shouldn't expect the same filter, with the same syntax, to necessarily work in different products. In libpcap filters (which is what Wireshark capture filters are), you compare against a *single number*, so you'd do "ip[12:2] == 68*256+154". Display filter byte offset notation is different - you'd compare against a byte string, e.g. 68:154. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
