Ethereal-users: [Ethereal-users] Filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Nawar, Hany Nader Soliman (Hany)" <nawar@xxxxxxxxxx>
Date: Thu, 7 Jun 2001 13:19:58 +0300
Hello,
I'd like to ask about the difference between display and capture filters,
and when to use either of them.
I would like to know also how to supply display filters to ethereal?
My OS is Solaris 2.6

Best regards
Hany Nader Nawar, MSc



-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Wednesday, June 06, 2001 10:06 PM
To: Nawar, Hany Nader Soliman (Hany)
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] Filters


> Thanks for the interfaces tip, it worked.  Now I'm trying to define some
> filters, but every time the program gives me an error: Unable to parse
> filter string (parse error).
> 
> I tried simple filters like:
> ip.dst == www.yahoo.com
> 
> ip.addr eq 1.2.20.30
> 
> and I get the same error.
> 
> What's the problem?

That depends on where you're trying those filters.

If, as I suspect is the case, you're trying those filters in the
"Capture Preferences" dialog box, popped up when you select "Start" from
the "Capture" menu, the problem is that capture filters are *NOT*
implemented by Ethereal, they're implemented by the libpcap library that
Ethereal uses to do captures, and the syntax that library supports is
*not* the same syntax as the syntax for display filters.

(The capture filter syntax can't support everything that the display
filter mechanism can, so we needed a different syntax; we may, at some
point, write code to translate display-filter-like filters into libpcap
capture filters, but there's already a large number of projects in
progress for Ethereal, so there's no guarantee that particular project
would make it to the head of the queue soon - it's a non-trivial
project).

See

	http://www.ethereal.com/faq.html#q3.1

which has a link to an on-line version of the tcpdump man page, in which
the syntax of libpcap capture filters is defined.

In the case of the two filters you listed, the capture-filter equivalent
of

	ip.dst == www.yahoo.com

is

	dst host www.yahoo.com

and the equivalent of

	ip.addr eq 1.2.20.30

is

	host 1.2.20.30