Ethereal-users: RE: [Ethereal-users] Filters
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Thu, 14 Jun 2001 12:26:34 -0500
Display filters do not modify the capture file. They only tell Ethereal which packets to put on the screen for your inspection. The most convenient place to enter display filters is at the bottom of the Ethereal window. You would use display filters when you have a large capture file and you want to narrow down the number of packets displayed, thus making the display easier to read. Capture filters tell Ethereal which packets you want (or do not want) to grab from the network itself. You use capture filters when you already have an idea of what you're looking for *before* you start the packet capture. I have found that when troubleshooting, these are wise to use when you are looking for something very specific. Otherwise, I just capture everything and use display filters to pare down the list. --J > -----Original Message----- > From: Nawar, Hany Nader Soliman (Hany) [mailto:nawar@xxxxxxxxxx] > Sent: Thursday, June 07, 2001 5:20 AM > To: 'ethereal-users@xxxxxxxxxxxx' > Subject: [Ethereal-users] Filters > > > Hello, > I'd like to ask about the difference between display and > capture filters, > and when to use either of them. > I would like to know also how to supply display filters to ethereal? > My OS is Solaris 2.6 > > Best regards > Hany Nader Nawar, MSc > > > > -----Original Message----- > From: Guy Harris [mailto:guy@xxxxxxxxxx] > Sent: Wednesday, June 06, 2001 10:06 PM > To: Nawar, Hany Nader Soliman (Hany) > Cc: 'ethereal-users@xxxxxxxxxxxx' > Subject: Re: [Ethereal-users] Filters > > > > Thanks for the interfaces tip, it worked. Now I'm trying > to define some > > filters, but every time the program gives me an error: > Unable to parse > > filter string (parse error). > > > > I tried simple filters like: > > ip.dst == www.yahoo.com > > > > ip.addr eq 1.2.20.30 > > > > and I get the same error. > > > > What's the problem? > > That depends on where you're trying those filters. > > If, as I suspect is the case, you're trying those filters in the > "Capture Preferences" dialog box, popped up when you select > "Start" from > the "Capture" menu, the problem is that capture filters are *NOT* > implemented by Ethereal, they're implemented by the libpcap > library that > Ethereal uses to do captures, and the syntax that library supports is > *not* the same syntax as the syntax for display filters. > > (The capture filter syntax can't support everything that the display > filter mechanism can, so we needed a different syntax; we may, at some > point, write code to translate display-filter-like filters > into libpcap > capture filters, but there's already a large number of projects in > progress for Ethereal, so there's no guarantee that particular project > would make it to the head of the queue soon - it's a non-trivial > project). > > See > > http://www.ethereal.com/faq.html#q3.1 > > which has a link to an on-line version of the tcpdump man > page, in which > the syntax of libpcap capture filters is defined. > > In the case of the two filters you listed, the capture-filter > equivalent > of > > ip.dst == www.yahoo.com > > is > > dst host www.yahoo.com > > and the equivalent of > > ip.addr eq 1.2.20.30 > > is > > host 1.2.20.30 > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users >
- Prev by Date: Re: [Ethereal-users] Ethereal capture not taking place
- Next by Date: [Ethereal-users] Searching for a string
- Previous by thread: Re: [Ethereal-users] Filters
- Next by thread: [Ethereal-users] Filters
- Index(es):
