Wireshark · Ethereal-users: Re: [Ethereal-users] Filtering problems

Ethereal-users: Re: [Ethereal-users] Filtering problems

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "James A. Crippen" <james@xxxxxxxxxxxx>

Date: Wed, 10 Jan 2001 09:30:10 -0900 (AKST)

On Wed, 10 Jan 2001, Guy Harris wrote:

> On Tue, Jan 09, 2001 at 03:27:08PM -0900, James A. Crippen wrote:
> > May I suggest the following minor changes to the manpage Synopsis section
> > for tethereal?  (Haven't looked at ethereal's page yet.)
> 
> It could use similar changes.
> 
> > Change
> > 
> >   ... [ -f filter expression ] ... [ -R filter expression ] ... [ filter
> >   expression ]
> > 
> > to
> > 
> >   ... [ -f capture filter expression ] ... [ -R read filter expression ]
> >   ... [ capture filter expression ]
> 
> ...except that whether the last of those is a capture filter or a
> display filter depends on whether you specified a "-r" flag or not, i.e.
> whether you're doing a live capture or reading a capture file.

Ah, I didn't know about this.  That's somewhat subtle.  But it makes
sense.
 
> > which would make it more obvious that the default is a capture filter and
> > not a read filter,
> 
> But that's the "default" only if no "-r" flag is specified; capturing
> rather than reading a capture file is the default, but just calling the
> command-line arguments "capture filter expression" might lead one to
> believe that it's *always* a capture filter expression, which it isn't.
> 
> I've checked in changes to the Ethereal and Tethereal man pages, except
> that
> 
> 	1) I call the argument to "-R" a "display filter expression"
> 	   rather than a "read filter expression", as the document
> 	   refers to that type of filter as a display filter when it
> 	   discusses the syntax;
> 
> 	2) it just says "filter expression" for the command-line filter
> 	   expression in Tethereal, as per the above.

That sounds like a good solution.  I didn't know about the -r option which
switches the meaning of the final argument.  I think having both types of
filter expression labeled as such in the synopsis should point out that
there are different syntaxes and most people would keep reading a bit more
to figure out which one to use.

'james

-- 
James A. Crippen <james@xxxxxxxxxxxx> ,-./-.  Anchorage, Alaska,
Lambda Unlimited: Recursion 'R' Us   |  |/  | USA, 61.2069 N, 149.766 W,
Y = \f.(\x.f(xx)) (\x.f(xx))         |  |\  | Earth, Sol System,
Y(F) = F(Y(F))                        \_,-_/  Milky Way.

References:
- Re: [Ethereal-users] Filtering problems
  - From: Guy Harris

Prev by Date: [Ethereal-users] [Fwd: bug: ethereal 0.8.12 and 0.8.14 display first TFTP capture as WCCP datagrams]
Next by Date: [Ethereal-users] Two packet intercept question
Previous by thread: Re: [Ethereal-users] Filtering problems
Next by thread: Re: [Ethereal-users] Filtering problems
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$