Ethereal-dev: Re: [Ethereal-dev] 'Add Expression' button in Capture Filters Dialogue box
On Sun, Nov 30, 2003 at 03:58:41PM +0100, J.Smith wrote:
> Just wondering, would it be possible to add an 'Add Expression' button to
> the capture filters dialogue box ? There is one available for the display
> filters, but not for the capture filters.
It might be possible for somebody with the time to do so to write
something to implement that.
One problem, however, is that the code to parse and interpret capture
filter expressions is *not* part of Ethereal, so either
1) an "Add Expression" button would only support, for example,
the libpcap 0.4 syntax, not anything added since then;
2) an "Add Expression" button might allow you to specify filters
that the version of libpcap Ethereal is using couldn't
handle;
3) Ethereal, or its configure script, would somehow have to
figure out what expressions the version of libpcap it's using
supports (given that some OSes supply libpcap as a shared
library, "Ethereal" is probably a better answer than "its
configure script", so that a single binary can adapt to
whatever version of libpcap is being used).
> By the way, the reason I ask is because I seem to be having some problems
> with using the capture filters. I gather that they are supposed to be the
> same as tcpdump filters, but when I enter a capture filter like this :
>
> port = 80
>
> or even this
>
> \( port = 80 \)
>
> I get an error message saying that this is an illegal capture filter. What
> gives ?
What gives is that it's not a legal tcpdump capture filter.
> Running Ethereal 0.9.16 on Windows 98SE.
See
http://windump.polito.it/docs/manual.htm
for a description of the tcpdump/WinDump capture filter format.
In particular, it's not "port = 80", it's just "port 80".
