Ethereal-dev: Re: [Ethereal-dev] Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 20 Aug 2005 01:27:33 -0700
Nathan Jennings wrote:


tethereal -n -s 1514 -i <dev_name> 'tcp and (port 445 or 139)'
Depending on whether or not you care about what's in the payload once it's captured, you could leave out the "-s 1514" (snap length).
"-s 1514" is probably unnecessary. Tethereal, unlike tcpdump, defaults to a snapshot length of 65535, which means (for all link layers we support), "capture the entire packet". tcpdump, by default, has a short snapshot length (68 for versions of tcpdump without IPv6 support, 96 for versions with IPv6 support), so you need "-s 0" (or, with older versions of tcpdump, "-s 65535") to get the entire packet.
If you need it, use the "-w <file_name>" option to write the capture to a file.
I.e., without "-w", Tethereal will just print the equivalent of the Ethereal summary section for the packets; with the "-V" flag, it'll print the equivalent of the packet detail section for each packet. For a file that can be read by tcpdump or Tethereal or Ethereal or..., use "-w". 

The capture filter you gave also works with Ethereal.