Ethereal-users: Re: [Ethereal-users] Specifying filters in tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Thu, 5 Jun 2003 07:08:42 +0100
Vaidehi Kasarekar wrote:

<Frame 363 (90 on wire, 90 captured)
<    Arrival Time: Jun  4, 2003 18:16:20.623654000
<    Time delta from previous packet: 0.002625000 seconds
<    Time relative to first packet: 13.375884000 seconds
<    Frame Number: 363
<    Packet Length: 90 bytes
<    Capture Length: 90 bytes
<IEEE 802.11
<    Type/Subtype: Data (32)
<    Frame Control: 0x0108
<        Version: 0
<        Type: Data frame (2)
<        Subtype: 0
<        Flags: 0x1


>If i want to specify a filter in tethereal in such a way that, it will filter out packets, where 
>Frame Type match: "data" and the some more fields of the header. what is the syntax? How do i specify that???
> 
>If i specify:
>[vaidehi@base-station log]$ tethereal -i eth2 -f 'wlan.fc.type_subtype eq 0x08' -V
>I get an error: 
> 
>tethereal: Unable to parse filter string (parse error).
>
>Can anybody guide me writing rules to filter out packets based on certain header information. I am interested in the syntax. Or any >document describing the filters or examples of filters would be useful.

Capture filters have a different syntax than display filters
http://www.ethereal.com/faq.html#q5.5

In order to prepare a capture filter you should read the tcpdump/WinDump documentation (man-page) corresponding to the libpcap/WinPcap version you are using, e.g.

http://nodevice.com/sections/ManIndex/man1692.html

http://windump.polito.it/docs/manual.htm  (if you are using WinPcap)

There is also some other "guides" about tcpdump filter syntax that can be good sometimes:

http://www.security-forums.com/forum/viewtopic.php?t=4489

http://www.ethereal.com/lists/ethereal-users/200306/msg00020.html

http://home.insight.rr.com/procana/index.html

I guess that in your case when you have IEE 802.11 headers you maybe have to use a filter such as
ether[0] & 0xF0 = 0x8

(ether[0] means the first byte of the data link level used on the specified network interface)

It might be good to combine a capture filter with a display/read-filter since the syntax for display/read-filters is much more powerful.
You can normally filter on high level protocols and similar.

You could for example start with capture all packets matching a certain capture filter and save the result to a file
tethereal -i eth2 -f 'ether[0] & 0xF0' -w file1.pcap

Then you could use read-filters to filter out with the more powerful display-filter syntax using the "-R" option
tethereal -r file1.pcap -R 'wlan.bssid == 00:40:05:df:24:b8' -V

Actually it might work to use:
tethereal -i eth2 -R 'wlan.fc.type_subtype eq 0x08' -V
directly, but there is a risk that packets may be dropped when Ethereal has to scan through a lot of packets in real-time.