This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Foundry FDP Capture Filter

0

I have found a capture filter for CDP and was hoping this would work for FDP too. Can you help me find one that will work for FDP please. The CDP one which works is : ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

thanks

Chris Chambers BBC London

asked 26 Nov '13, 09:56

Chris%20C's gravatar image

Chris C
11112
accept rate: 0%

1

If you can provide a capture file (with some frames, not just one), someone here might be able to help.

(26 Nov '13, 10:32) Kurt Knochner ♦

One Answer:

1

That filter is checking for SNAP frames with an OUI of 00:00:0C and a PID of 0x2000.

For FDP, the OUI is 00:E0:52, which is an OUI for Foundry, and the PID is again 0x2000.

Therefore, the filter would be

ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x00E0 && ether[19:1] == 0x52 && ether[20:2] == 0x2000

(I really need to add a "snap" filter primitive to libpcap, so you can do something such as "snap 00:e0:52-2000" or something such as that, or maybe "snapoui 00:e0:52 snappid 0x2000", in a capture filter.)

answered 26 Nov '13, 14:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

(BTW, some slightly more efficient filters would be

ether[12:2] <= 1500 && ether[14:4] == 0xAAAA0300 && ether[18:4] == 0x000C2000

for CDP and

ether[12:2] <= 1500 && ether[14:4] == 0xAAAA0300 && ether[18:4] == 0xE0522000

for FDP - fewer BPF instructions interpreted per packet, but that might not make a huge difference in capture performance.)

(26 Nov '13, 14:31) Guy Harris ♦♦

Thank you Guy, all working perfectly, much appreciated

(03 Dec '13, 05:38) Chris C

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(03 Dec '13, 05:48) Kurt Knochner ♦