> 2) having Ethereal treat it as a capture filter if it can be
> parsed as one and a display filter if it can't be parsed as a
> capture filter but can be parsed as a display filter, which
> runs the risk that the people who currently ask the Ethereal
> list "why doesn't 'ip.addr == 127.0.0.1' work as a filter?"
> instead blithely use display filters and possibly find that
> Ethereal can't keep up with the network traffic because it's
> seeing *every* packet and running the
> considerably-more-expensive display-filtering process on all
> of them.
Seems to me it would be nice if ethereal could compile as much of the
display filter as it can into capture filter. Even if this involved
hardwiring patterns. (Seems like hardwiring some of that support would be
acceptable to me, since the capture syntax is limited.)
Then, if you did a filter like:
ip.addr == 127.0.0.1 && !udp && !telnet
ethereal at least could extract the invariant portion of that (ip.addr ==
127.0.0.1), and stick that in as the capture filter.
Not saying this would be real easy, but it would be the ideal behavior.
-- Nathan
