I have found a capture filter for CDP and was hoping this would work for FDP too. Can you help me find one that will work for FDP please. The CDP one which works is : ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000 thanks Chris Chambers BBC London asked 26 Nov '13, 09:56 Chris C |
One Answer:
That filter is checking for SNAP frames with an OUI of 00:00:0C and a PID of 0x2000. For FDP, the OUI is 00:E0:52, which is an OUI for Foundry, and the PID is again 0x2000. Therefore, the filter would be
(I really need to add a "snap" filter primitive to libpcap, so you can do something such as "snap 00:e0:52-2000" or something such as that, or maybe "snapoui 00:e0:52 snappid 0x2000", in a capture filter.) answered 26 Nov '13, 14:29 Guy Harris ♦♦ 1 (BTW, some slightly more efficient filters would be
for CDP and
for FDP - fewer BPF instructions interpreted per packet, but that might not make a huge difference in capture performance.) (26 Nov '13, 14:31) Guy Harris ♦♦ Thank you Guy, all working perfectly, much appreciated (03 Dec '13, 05:38) Chris C Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. (03 Dec '13, 05:48) Kurt Knochner ♦ |
If you can provide a capture file (with some frames, not just one), someone here might be able to help.