Ethereal-dev: Re: [ethereal-dev] Syntax for capture filter (Truth in advertising?)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Ben Fowler <wapdev@xxxxxxxxxxxx>
Date: Mon, 19 Jun 2000 07:31:50 +0100
At 03:54 AM 6/19/00, Guy Harris wrote:

On Mon, Jun 19, 2000 at 12:01:17AM +0100, Ben Fowler wrote:
> With tcpdump, this command and filter works:
>
>          tcpdump -i eth0 'tcp port 80 or tcp port 3128'
>
> but the same (capture) filter appears to be faulty in ethereal, giving
> a parse error.
>
> Why is this?

Perhaps you'd previously given an incorrect filter to Ethereal; there is
an unfortunate bug in libpcap, where it doesn't clear the input token
stream before starting a parse - this means that if an earlier parse
failed before the last token was read by the lexical analyzer, the next
parse will get leftover tokens from that parse.

[ ... ]

"tcp port 80 or tcp port 3128" worked fine when I ran it just now, as
the first filter provided to the Ethereal instance in question, so it's
not as if it's never accepted by Ethereal.


That is very helpful. I saw this note (earlier) and restarted ethereal
to try again before posting; but it still didn't work.

The about box for ethereal reports Gtk+ 1.2.6, libpcap 0.4, libz
1.1.3 and no SNMP.

I think that libpcap is linked statically.

At the moment I am unable to compile ethereal from source because
I don't understand the consequences of recent changes
to the test buffer, and I am a little shy when it comes to asking
for help. I will get on with these things this evening and tomorrow.

Ben.



I have libpcap

--
Leedsnet - The information resource for Leeds and the West Riding
< URL:http://www.leedsnet.com/mobile/ >