> checking the filter's syntax, i have:
>
> ip.addr == 192.168.100.45
>
> i am running ethereal 0.8.15 on a RH7 box with all updates applied.
>
> suggestions?
Use
host 192.168.100.45
instead.
Current versions of Ethereal keep only one list of saved filters.
However, the syntaxes for capture and display filters are *not* the
same; the capture filter syntax is that of the "libpcap" library that
Ethereal uses for packet capture, and that's the same library tcpdump
uses, so the syntax for capture filters is that of tcpdump.
The syntax for *display* filters is different, as the libpcap syntax
isn't sufficiently powerful to support all the types of filtering we
allow in display filters.
The next release of Ethereal keeps separate lists of capture and display
filters; if you already have a single list of filters, all those filters
will show up in the captue filter list and in the display filter list,
but you can delete capture filters from the display filter list, or
delete display filters from the capture filter list, and save the filter
list in question.
(Note that there *are* cases where the syntaxes overlap; "icmp", for
example, is both a valid capture filter and a valid display filter.)
In some future release, we will probably support an additional capture
filter syntax which will be more like that of display filters, although
there will still be display filters that will not be supported as
capture filters.
(Capture filters are compiled by libpcap into a fake "machine language"
interpreted either by an interpreter in libpcap or, on some OSes, by an
interpreter in the OS kernel; the latter means that packets that don't
pass the filter aren't copied up to the program, which means that a fair
bit of CPU time is saved.
That interpreter's capabilities are limited, both in the interests of
efficiency and in the interests of limiting its capabilities to those
that can be safely put into a program stuffed into the kernel by
arbitrary, albeit perhaps privileged, user-mode programs.)