On Sun, Jul 13, 2003 at 03:18:44AM +0100, Daniel Frimerman wrote:
> I am compiling a filter:
>
> ether proto ip
> ether dst 00-E0-06-09-55-66
>
> The above didn't compile.
Does "the above" mean the entire expression
ether proto ip
ether dst 00-E0-06-09-55-66
with white space between the two lines? If so, then the problems are
1) you need an operator between the two expressions;
2) you need to put a backslash in front of "ip", as "ip" is both
a keyword and a network-layer protocol name (perhaps the
parser could be changed to deal with that, but nobody's
changed it to do so - or perhaps that would introduce an
unresolvable ambiguity);
3) MAC addresses can only have colons as separators, so you need
to say "00:E0:06:09:55:66" (it might be that the lexical
analyzer could be changed to accept either of those, but
nobody's changed it to do so).
> Also I noticed, I can't use "and" instead of "&" as said in the manual.
It worked fine for me with libpcap 0.4 on FreeBSD 3.4:
% tcpdump 'ether proto \ip and ether dst 00:e0:06:09:55:66'
tcpdump: listening on fxp0
Either
1) something changed between 0.4 and the version of libpcap on
which the version of WinPcap you're using is based that
caused it no longer to work (unlikely);
or
2) there's some problem with whatever software is reading the
filter (e.g., Windows command line, for WinDump).
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================
