Ethereal-dev: Re: [ethereal-dev] Syntax for capture filter (Truth in advertising?)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 18 Jun 2000 19:54:29 -0700
On Mon, Jun 19, 2000 at 12:01:17AM +0100, Ben Fowler wrote:
> With tcpdump, this command and filter works:
> 
>          tcpdump -i eth0 'tcp port 80 or tcp port 3128'
> 
> but the same (capture) filter appears to be faulty in ethereal, giving
> a parse error.
> 
> Why is this?

Perhaps you'd previously given an incorrect filter to Ethereal; there is
an unfortunate bug in libpcap, where it doesn't clear the input token
stream before starting a parse - this means that if an earlier parse
failed before the last token was read by the lexical analyzer, the next
parse will get leftover tokens from that parse.

This isn't an issue in programs such as tcpdump (or Tethereal), which
only ever parse one filter expression, but *is* an issue in programs
such as Ethereal (and some other programs) which can parse more than one
filter expression).

A fix for this has been checked into the CVS tree for libpcap at
tcpdump.org; it probably won't be in the 0.5 release, but will probably
be in the next release after that.

"tcp port 80 or tcp port 3128" worked fine when I ran it just now, as
the first filter provided to the Ethereal instance in question, so it's
not as if it's never accepted by Ethereal.