Ethereal-users: Re: [ethereal-users] Filter troubles

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Tue, 21 Mar 2000 22:04:37 -0800
> I read the documentation for the filters but I haven't been able to get
> them to work.

When capturing, or when filtering a capture you've already read?

The syntax is different; as the man page indicates, capture filters use
a different syntax, which is the same syntax as tcpdump uses (because we
use the same library as tcpdump).  (We don't consider this a feature,
but we haven't gotten around to making capture filters support (a subset
of) the same syntax as display filters yet; we'd probably also let it
use the old capture filter syntax as well.)

> How would do something simple like the following.
> 
> Filter out data who's source is tiger.unm.edu

Filter out as in "*don't* capture/display packets from 'tiger.unm.edu'"?

For capturing:

	not src host tiger.unm.edu

For filtering a capture you've already read:

	ip.src != tiger.unm.edu

> Filter only data who's protocol is TCP

I.e., capture/display only TCP packets?

For capturing:

	tcp

For filtering a capture you've already read:

	tcp