|
Problem with Ethereal capture filter rule
What I am looking to do is ignore all ARP traffic from a host, but still capture the normal TCP/IP traffic. I do however want to capture ARP traffic from other hosts on the LAN.
I have looked at rules like this: host 192.168.1.101 and not arp Which give me all of the non-ARP traffic from that host, but also filters out traffic from the rest of the LAN. Simply doing: not arp Gives me traffic from the entire LAN, but not ARP from the other hosts. Anyone know how to create a rule to do what I need, and if it is even possible with the filter syntax? |
Does the following give you what you need?
Code:
not (host 192.168.1.101 and arp) |
Yes, that appears to do it. I don't know how I missed that you could do rules that way. I guess the guides I were looking at were a bit too basic.
On a related note, can you specify "not host 127.0.0.1" to ignore traffic from the machine doing the capture, or would that not work because it matches packets based on the source IP? Though I guess you could just exclude traffic from localhost via MAC. |
You should be able to stop the 127.0.0.1 traffic by limiting which network interfaces you capture on. The capture dialog has a drop-down box that lets you select which interface to use - does yours currently show as the pseudo-device that captures on any interface?
|
| All times are GMT -5. The time now is 03:11 PM. |