-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------
james hanley wrote:
> -------------------
> The Ethereal project is being continued at a new site. Please go to
> http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
> Don't forget to unsubscribe from this list at
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -------------------
>
>
>
> ------------------------------------------------------------------------
>
> 1)
> how do I say OR ?
> AND is &&
>
> for example, I want to say
> tcp.dstport != 3389 "OR" tcp.srcport != 3389
The same way you do in Wireshark, as per the above, so I'm redirecting
this to the wireshark-users list.
In Wireshark, just as AND is &&, OR is...
...||.
> 2)
> how do I see only the initial connections? and just incoming or just
> outgoing?
>
> is there an easier way than this? (i'm not even sure if this is right)
>
> my ip is 192.168.0.2
>
> for incoming-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2
That's the correct filter to see attempts by other machines to connect
to your machine - it matches packets that have SYN set and ACK not set
(so it's the initial SYN) that are not coming from your machine.
> for outgoing-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2
Ditto.
No, there's no simpler expression (unless somebody's added a new field
to the TCP dissector while I wasn't watching).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------
james hanley wrote:
> -------------------
> The Ethereal project is being continued at a new site. Please go to
> http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
> Don't forget to unsubscribe from this list at
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -------------------
>
>
>
> ------------------------------------------------------------------------
>
> 1)
> how do I say OR ?
> AND is &&
>
> for example, I want to say
> tcp.dstport != 3389 "OR" tcp.srcport != 3389
The same way you do in Wireshark, as per the above, so I'm redirecting
this to the wireshark-users list.
In Wireshark, just as AND is &&, OR is...
...||.
> 2)
> how do I see only the initial connections? and just incoming or just
> outgoing?
>
> is there an easier way than this? (i'm not even sure if this is right)
>
> my ip is 192.168.0.2
>
> for incoming-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2
That's the correct filter to see attempts by other machines to connect
to your machine - it matches packets that have SYN set and ACK not set
(so it's the initial SYN) that are not coming from your machine.
> for outgoing-
> tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2
Ditto.
No, there's no simpler expression (unless somebody's added a new field
to the TCP dissector while I wasn't watching).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users