OmniPeek Support

How do I (efficiently) create a generic EAP filter?

hstuken
Posts: 12
Joined: Tue Dec 02, 2008 10:12 pm

How do I (efficiently) create a generic EAP filter?

Postby hstuken » Tue Apr 28, 2009 7:47 am

All,

I'm trying to create a display filter for EAP & EAPOL messages; however, when I go into the filter builder I can only select individual EAP messages (Start, Failure, etc.), but I want them all. Is there any way to do this?

This is very simple to do in Wireshark (sorry - just for comparison), where I just type in 'eap || eapol' into the filter bar - the syntax is very simple vs. the filter bar in OP, which is fairly byzantine.

Thanks!

-Henry

hstuken
Posts: 12
Joined: Tue Dec 02, 2008 10:12 pm

RE: How do I (efficiently) create a generic EAP filter?

Postby hstuken » Tue Apr 28, 2009 8:06 am

Ok - after some digging I can get what I want by doing a Protocol filter of 0x888E (802.1X from the Ethernet headers).

The filters are a strange beast - powerful, but limiting in certain ways. Or perhaps the problem is they don't work the way I think, which I'm willing to admit. I'm still getting use to the OP metaphor, so perhaps I just need more time with it to get comfortable.

-Henry

DJWP
Posts: 682
Joined: Tue Oct 30, 2007 11:42 am

RE: RE: How do I (efficiently) create a generic EAP filter?

Postby DJWP » Tue Apr 28, 2009 9:11 am

Henry-

Glad you found it. There is also an even simpler way. Click on Protocols, locate EAPOL, right click and select Make Filter. You can do this on items in a lot of the views within OmniPeek-

hstuken
Posts: 12
Joined: Tue Dec 02, 2008 10:12 pm

RE: How do I (efficiently) create a generic EAP filter?

Postby hstuken » Tue Apr 28, 2009 12:46 pm

Hrm...where do you mean? Which Protocols? I select it in the Make Filter, but I don't see EAPOL in there, unless I use the generic protospec, but that lists out all of the various EAPOL message types.

DJWP
Posts: 682
Joined: Tue Oct 30, 2007 11:42 am

RE: RE: How do I (efficiently) create a generic EAP filter?

Postby DJWP » Wed Apr 29, 2009 2:18 pm

In the Protocol view in the main window of OmniPeek, not in the filter editing dialog-


Return to “OmniPeek Support”

Who is online

Users browsing this forum: No registered users and 3 guests