On Wed, Jul 07, 2004 at 12:32:58AM -0700, devesh pujari wrote:
> I started using wpcap library yesterday using .net
> framework. I could compile test programs and capture
> the packets also. I need to set the filter on Type
> field for ethernet frame. How to do this ?
% man tcpdump
...
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
fiers are also keywords and must be escaped
via backslash (\).
> I know i need to use pcap_compile() method and third
> parameter is char *. As i read in filtering
> expression syntax i see 'proto [ expr : size ]'.
> How do i use this something like like
> 'ether[21:2]==0xbbbb'. Is this correct ?
No, because the Ethernet header is only 14 bytes long, so "ether[21:2]"
isn't part of the Ethernet header.
You'd want
ether proto 0xbbbb
to have a filter for frames with an Ethernet type of 0xbbbb.
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================
