Ethereal-users: Re: [Ethereal-users] Re:Filter ? second ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 19 Feb 2003 12:49:49 -0800
On Wed, Feb 19, 2003 at 08:36:04PM +0100, Sean Hackstein wrote:
> To make things clear :  
> I try to typ the filter direct into :
> Capture/start ->  Ethereal: Capture Options 
> Filter-> 
> 
> mybe that's wrong ? 

Given that you said, in your earlier message:

	i'm new to ethereal and didn't manage to get a display filter working
						       ^^^^^^^

either

	1) typing it into the "Filter:" field in the "Capture Options"
	   dialog box is wrong

or

	2) saying "...didn't manage to get a display filter working",
	   rather than "...didn't manage to get a *capture* filter
	   working", was wrong.  :-)

I suspect the latter was the error here.

If you want to control which packets Ethereal *captures*, rather than
the subset of the captured packets in the display, you need a capture
filter; the syntax for those is different from the syntax for display
filters (capture filters are compiled by the libpcap/WinPcap library
that Ethereal uses to do packet capture, display filters are compiled by
Ethereal).

To do a *capture* filter to check for MAC addresses beginning with
00:30:84:1c, you'd do

	ether[0:4] = 0x0030841c or ether[6:4] = 0x0030841c

(Note that in capture filters the number after the : has to be 1, 2, or 4
- you can't use 3, and you can't use a number greater than 4; capture
filters are not as general as display filters in that regard.  You just
happen to be lucky that you want to check the first 4 bytes of the
address.)