On Jul 6, 2004, at 5:32 PM, Guy Harris wrote:
He does say of EtherPeek that it has "the ability to quickly filter out
traffic you don't want to see in the display", but I don't know whether
that's just offset filtering or not (an EtherPeek for Mac manuals
seems to
indicate that you might be able to filter on particular protocols, but
not
on fields in a protocol).
That definitely is an odd thing to say, I didn't even catch it the
first time around.
Etherpeek's filtering system is definitely offset-based. Some
analyzers give you a hybrid decode-based and offset-based filtering
mechanism - you can specify to filter from an offset starting at a
"decoded" start point. Those tend to be extremely limited though
(address fields in a few protocols and a small handful of "common"
protocols), and Etherpeek definitely doesn't excel here. Instead,
Etherpeek (NX 3.0) provides a few "quick" filters to quickly build
offset-based filters (allowing you to "filter" on HTTP, DHCP, etc), but
it's not really much different than the other products.
I can't imagine he's talking about non-decode related "filtering",
either. Perhaps he says this because there's a "filters" tab on the
same screen as the packet decode, so he was able to find the filters
easier than with other products? Though by that logic you'd think it
would have been hard to miss the big "FILTER" button at the bottom of
the copy of Ethereal he tested...
