Wireshark · Ethereal-users: Re: [Ethereal-users] Tethereal start capture question

[Stef <stefmit@xxxxxxxxxxx>]

snort comes to mind ... with a properly crafted content or pcre rule 
(version 2.1), perhaps ... but then you may not need tethereal at all, 
as snort would do the job for you (it is as good of a sniffer, as it is 
an IDS, actually) ... Visit www.snort.org and look around their docs 
and mailing list archives.

Stef

On Apr 29, 2004, at 12:11 PM, Janet Norton wrote:

> Can you define a condition which starts the data collection for 
> tethereal?  
>   
> Currently, I am using a capture filter to get packets for specific IP 
> traffic using a stop writing condition of 60 sec duration.
> tethereal.exe -f "dst 149.59.152.28" -a duration:30 -w outfile
>  
> I have a perl script which continuously spawns the above process then 
> reviews the outfile for when a specific ASCII string is present and 
> processes data accordingly.  This way I can intercept IP data when it 
> is present, but this is not very efficient.
>   
> I would like to start tethereal (or equivalent) with a condition to 
> only start collect packets when TCP traffic is present for this IP 
> only.  Any suggestions would be greatly appreciated.  This is on a 
> small part of corporate network and I am collecting IP traffic to a 
> barcode printer.
>  
> Thanks.