Ethereal-users: Re: [ethereal-users] question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 16 Feb 2000 13:50:42 -0800 (PST)
> I must admit that the difference between capture and display filters is
> one of the reasons I'm still a bit reluctant to use [t]ethereal (which
> is a great tool BTW).
> What are/were the reasons to have those different filter syntaxes.

The reason for using tcpdump/libpcap syntax for capture filters was that
it was already there, and code generation for BPF is a non-trivial task.

The reason for *not* using tcpdump syntax for display filters is that
it's not general enough.

We don't consider it a feature that there are two different filter
syntaxes, but there're a number of things that "aren't features", and
it's a question of which ones to work on first....  Perhaps I'll try
going back to my half-finished project to accept a subset of display
filter syntax and generate libpcap-syntax capture filters from it (which
obviates the need to write a BPF code generator with optimizer).