Ethereal-users: Re: [ethereal-users] bug in version 0.8.3?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Tue, 22 Feb 2000 10:48:02 -0800
> > So are you saying that when you do a "Follow TCP Stream", you get a
> >
> > Unable to parse filter string (parse error)
> >
> > error?
> >
> 
> Yes, you are OK

I am OK in the sense that you got the error I describe when doing
"Follow TCP Stream", or "I" am OK in the sense that Ethereal is OK and
"Follow TCP Stream" works for you?

> > You're not using that sort of filter as a capture filter - i.e., in the
> > "Filter:" text field in the window popped up by the "Start" item in the
> > "Capture" menu - are you?  If so, that won't work, unfortunately -
> > capture filters have a different syntax from display filters.
> >
> 
> You are OK again. I had read the FAQ, and I knew the filters were different.
> But
> the fact the only filters I saw where the ones automatically appeared when I
> choosed
> "Follow TCP Stream"  where the ones "(ip.addr eq 192.168.2.1 and .......)",
> made my
> mind go in the wrong address.

I.e., you were trying to use a display filter as a capture filter?

> I think it could be a good idea to separate
> the
> dialogs for capture and display. When you go to capture data, it has no
> sense to let the
> user choose a display filter.

Well, maybe, maybe not - there has been a suggestion by Nathan Neulinger
that one *should* be allowed to use a filter with the full power of a
display filter when capturing packets, although if somebody does that
they should be aware that such a filter takes more CPU to implement than
does a capture filter.

It would also be useful to support a subset of the display filter syntax
for capture filters, i.e. anything that can be translated into something
that can be handled by the standard capture-filter mechanism should be
handled that way.

(A further possibility might be to handle something that *can't* be so
translated by splitting the filter into two parts, one of which can be
handled by that mechanism, and will eliminate all packets that can be
eliminated by running a capture filter on them and throwing them away if
they don't match the capture filter, and a part that throws away those
that require the full power of a display filter.

For example:

	ip.addr == 128.17.64.207 && mount

would be turned into a capture filter that accepts only packets sent to
or from 128.17.64.207 and a display filter that accepts only packets
that are ONC RPC mount-protocol packets.)