LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-25-2006, 04:51 PM   #1
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Problem with Ethereal capture filter rule


What I am looking to do is ignore all ARP traffic from a host, but still capture the normal TCP/IP traffic. I do however want to capture ARP traffic from other hosts on the LAN.

I have looked at rules like this:

host 192.168.1.101 and not arp

Which give me all of the non-ARP traffic from that host, but also filters out traffic from the rest of the LAN.

Simply doing:

not arp

Gives me traffic from the entire LAN, but not ARP from the other hosts.

Anyone know how to create a rule to do what I need, and if it is even possible with the filter syntax?
 
Old 10-25-2006, 05:55 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
Does the following give you what you need?
Code:
not (host 192.168.1.101 and arp)
 
Old 10-25-2006, 08:00 PM   #3
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Original Poster
Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Yes, that appears to do it. I don't know how I missed that you could do rules that way. I guess the guides I were looking at were a bit too basic.

On a related note, can you specify "not host 127.0.0.1" to ignore traffic from the machine doing the capture, or would that not work because it matches packets based on the source IP? Though I guess you could just exclude traffic from localhost via MAC.
 
Old 10-25-2006, 11:18 PM   #4
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
You should be able to stop the 127.0.0.1 traffic by limiting which network interfaces you capture on. The capture dialog has a drop-down box that lets you select which interface to use - does yours currently show as the pseudo-device that captures on any interface?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ethereal + packet capture reading guides ? kurrupt Linux - Networking 1 10-24-2005 12:34 PM
Ethereal Packet capture Help sucram2g Linux - Networking 2 07-20-2005 12:35 PM
Problem with Filter and Ethereal abefroman Linux - Security 2 05-20-2005 12:06 PM
How can I use ethereal to capture packets from other computer on the same switch/hub? abefroman Linux - Security 8 05-12-2005 10:58 AM
ethereal filter question doublefailure Linux - Software 4 03-21-2003 03:54 AM


All times are GMT -5. The time now is 07:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration