This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have found a capture filter for CDP and was hoping this would work for FDP too. Can you help me find one that will work for FDP please. The CDP one which works is : ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

thanks

Chris Chambers BBC London

asked 26 Nov '13, 09:56

Chris%20C's gravatar image

Chris C
11112
accept rate: 0%

1

If you can provide a capture file (with some frames, not just one), someone here might be able to help.

(26 Nov '13, 10:32) Kurt Knochner ♦

That filter is checking for SNAP frames with an OUI of 00:00:0C and a PID of 0x2000.

For FDP, the OUI is 00:E0:52, which is an OUI for Foundry, and the PID is again 0x2000.

Therefore, the filter would be

ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x00E0 && ether[19:1] == 0x52 && ether[20:2] == 0x2000

(I really need to add a "snap" filter primitive to libpcap, so you can do something such as "snap 00:e0:52-2000" or something such as that, or maybe "snapoui 00:e0:52 snappid 0x2000", in a capture filter.)

permanent link

answered 26 Nov '13, 14:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

(BTW, some slightly more efficient filters would be

ether[12:2] <= 1500 && ether[14:4] == 0xAAAA0300 && ether[18:4] == 0x000C2000

for CDP and

ether[12:2] <= 1500 && ether[14:4] == 0xAAAA0300 && ether[18:4] == 0xE0522000

for FDP - fewer BPF instructions interpreted per packet, but that might not make a huge difference in capture performance.)

(26 Nov '13, 14:31) Guy Harris ♦♦

Thank you Guy, all working perfectly, much appreciated

(03 Dec '13, 05:38) Chris C

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(03 Dec '13, 05:48) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×184
×1

question asked: 26 Nov '13, 09:56

question was seen: 2,034 times

last updated: 03 Dec '13, 05:48

p​o​w​e​r​e​d by O​S​Q​A