> Have tried to use a filter in the format:
> host a and (b or c)
> and ethereal "seems" to have accepted the syntax (unlike when I
> tried other formats, like the ones in the man for tcpdump:
> host a and \(b or c\)
> which means "escaping" the "("-s, )
You have to escape the "("s in tcpdump because you're typing the capture
filter on the command line, and the shell interprets "(" specially.
When typing a capture filter into the "Capture Preferences" dialog box,
you're not typing it to the shell, you're typing it to Ethereal itself,
and it doesn't care.
If you specify a capture filter on the command line to Ethereal (with
the "-f" flags) or Tethereal (with or without the "-f" flag), you'd have
to escape the "("s - or escape the entire filter:
tcpdump "host a and (b or c)"
ethereal -k -f "host a and (b or c)"
tethereal "host a and (b or c)"
tethereal -f "host a and (b or c)"
> so something tells me that the first version was - somehow -
> correct. Here is my problem, though: for whatever reason the sniffer
> captures ONLY traffic between a AND c, never between a AND b.
> So:
> 1. Why would that be?
Good question. It worked for me, in both tcpdump and Ethereal, so the
problem may be that, somehow, your machine is incapable of seeing
traffic between a and b.
Perhaps the path between hosts a and b, and the path between hosts a and
c, are on different networks, so that you'd have to sniff on different
interfaces to see both types of traffic (Ethereal only sniffs on one
interface at a time, unless you're
running Linux with a 2.2 or later kernel;
running Ethereal 0.8.15;
have linked it with libpcap 0.6.1 or later (which is *not* the
libpcap that comes with most Linux distributions, so you'd have
to build and install libpcap 0.6.1, and then rebuild Ethereal
from source - and you'd probably have to *uninstall* all the
libpcap packages you already have, first, so that you don't have
two different versions of libpcap and run the risk that Ethereal
will get linked with the wrong one)
and capture on the "any" device).
Perhaps you're on a switched network, and traffic between a and b
doesn't go to the same switched port that traffic between a and c does,
and the machine on which you're sniffing is only on the port that sees a
<-> c traffic.
> 2. Is there any way I can get a AND b, as well as a AND c,
Yes, *IF* that traffic goes over the same network and would appear on
the same interface on the machine running the sniffer program (or you
can use the "any" device, as per the above) and, if you're on a switched
network, *IF* that traffic would show up on the switch port into which
the interface on which you're sniffing is plugged.
> even if
> they happen symultaneously (which I don't see why not) - and - if
> yes - what is the correct syntax?
host a and (b or c)