Ethereal-users: Re: [Ethereal-users] couple of questions( dynamic capture filtering, applicatio
Raghavendra Thodime wrote:
1. When I direct verbose (./tethereal -V) output to a
file, It prints whole protocol tree(includes
MAC,IP,Transport headers) after decoding the fields.
Is there any way I can specify to get only application
level packets(http, sip and etc) in decoded format.
No - there's no mechanism in the Ethereal dissection code (used both by
Ethereal and Tethereal) to prevent particular protocols from being put
into the protocol dissection at all, and there's currently no mechanism
in Tethereal to specify that the full tree shouldn't be printed for some
protocols in "-V" mode.
2. Is there any Interface where I can dynamically
change capture filter through some script while
tethereal is running.
No - Tethereal doesn't include any code to change the filter on a
capture it's doing (so there's no way for some script to make it do so).
Note that even if such a mechanism existed, changing the filter might
cause packets that passed the old filter but that haven't yet been read
by the application to be discarded regardless of whether they'd pass the
new filter or not, as that's the way libpcap works on some OSes (in some
cases that's the way the underlying OS capture code works, and on others
libpcap works that way so that applications that expect not to see
packets that don't pass the new filter after the new filter is installed
don't get those packets anyway).
