Ethereal-dev: Re: [ethereal-dev] Re: [ethereal-users] Display Filters vs. Capture Filters
On Thu, Feb 17, 2000 at 07:54:14AM -0600, Nathan Neulinger wrote:
> I personally would like to see the ability to use display filters at
> capture time. Generally the only significant reason to use bpf filters
> is for efficiency (speed). For alot of captures, the main concern is
> just not capturing a tremendous amount of unneeded data.
>
> Perhaps a radio button to pick between them?
>
> Now, this obviously would require some trickery such as a second
> temporary file for the capture that the packets get copied to as they
> are filtered, or something like that.
Not necessarily - all it requires is that, *before* the packet is
written to the capture file, it be run through a display filter and
discarded if it doesn't match.
This could be done as the first thing that "capture_pcap_cb()" does -
note that Tethereal *already* supports using a read filter when
capturing (read filters having the syntax of display filters), and
discards the packets before being written.
My inclination might be to
1) translate a subset of display filter syntax into libpcap
capture filter syntax;
2) handle capture filters by:
first, trying to translate it to libpcap syntax and,
if that succeeds, installing it as a capture filter;
if that fails, try parsing it as a libpcap-syntax
capture filter and, if that succeeds, installing it as a
capture filter;
if that fails, try parsing it as a display filter and,
if that succeeds, use it as a read filter;
if that fails, complain and refuse to do the capture.
Then any display filter could be used as a capture filter - although
display filters that ask for more than BPF can do will be less efficient
than display filters that ask for nothing that BPF couldn't do.
