[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] filter out PVST packets?
From:       Guy Harris <guy () alum ! mit ! edu>
Date:       2011-10-28 8:15:27
Message-ID: 991F5CAC-8D0E-4A1D-947C-D25954A76E50 () alum ! mit ! edu
[Download RAW message or body]


On Oct 27, 2011, at 10:51 PM, Guy Harris wrote:

> PVSTP+ does *NOT* use the standard Ethernet type or LLC SAP for STP; instead, it \
> uses SNAP and an OUI of 00:00:0C and a protocol ID of 0x010b.  Unfortunately, \
> there's no simple primitive to check for SNAP+{OUI}+{Protocol ID}.  The way you way \
> you do that is dependent on the link layer type; for Ethernet I think it'd be 
> 	ether[12:2] <= 1500 and ether[14:4] == 0xaaaa0300 and ether[18:4] == 0x000c0010b

Err, sorry, that's

	not (ether[12:2] <= 1500 and ether[14:4] == 0xaaaa0300 and ether[18:4] == \
0x000c0010b)

if you *don't* want PVST+.  If you don't want STP *or* PVST+, it's

	not stp and not (ether[12:2] <= 1500 and ether[14:4] == 0xaaaa0300 and ether[18:4] \
== 0x000c0010b) ___________________________________________________________________________
 Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe


[prev in list] [next in list] [prev in thread] [next in thread]