["McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>]

Questions are posted about filters in ethereal fairly often, so I thought
I'd post this little summary about them to help folks out.  This isn't a
FAQ.  A real FAQ would be a lot longer than this, and would have questions
in it.  This is just a summary.


The most important thing one can learn about filters in ethereal (or any
packet capture program), is that there are TWO KINDS OF FILTERS.

The first kind of filter is a CAPTURE FILTER.  Capture filters tell the
capture program which packets to save and which packets to ignore.  In
ethereal, you use capture filters in the "Filter:" field after you select
Capture->Start from the menus.  In tethereal, you use capture filters with
the -f option, or at the end of your arguments.

In ethereal and tethereal, capture filters use the same syntax as tcpdump
capture filters.  For a detailed explanation of those, see the tcpdump man
page.  For convenience, a few examples are shown here:

Example 1:   tcp port 80

This will capture any TCP packet with a source OR destination port 80.
Obviously, only IP packets will be captured.  UDP packets will be ignored,
since we specified TCP.  IPX, AppleTalk, NetBEUI, and other protocols will
be ignored.

Example 2:  src net 172.15.0.0/16

This will capture any IP packet coming FROM network 172.15.*.*.  ANY IP
packet will be accepted.  Non-IP packets will be ignored.  Packets going TO
172.15.*.* will be ignored UNLESS they also come FROM 172.15.*.*.

Example 3:  src net 172.15.0.0 mask 255.255.0.0

This is the same as Example 2.

Example 4:  host 172.15.2.2 and tcp port 80

This will capture all traffic going to OR coming from 172.15.2.2, but only
if the source OR destination TCP port is 80.  So if someone on 172.15.2.2 is
running a Web client, that traffic will be captured.  If there is a Web
server on 172.15.2.2, that traffic will also be captured, since we didn't
specify source or destination in our filter.



Okay, enough on that.  The second kind of filter is a DISPLAY FILTER.  Once
you've captured a bunch of packets, you might need to only look at a few of
them at a time.  Display filters are used to make ethereal only show you
certain packets from your capture.  The others are still in memory, but are
not displayed until you remove or change your display filter.

Display filters are much more powerful than capture filters.  The ethereal
man page has extensive documentation on them.  Suffice it to say for this
document that display filters use a DIFFERENT SYNTAX from capture filters.
In ethereal, display filters are entered at the bottom of the main ethereal
window.  In tethereal, display filters are specified with the -R option.

Some examples of display filters:

Example 1:  ipx

This will show us only the IPX packets in our current capture.  All other
packets are masked.

Example 2:  tcp.src.port eq 25

This will show us any packet with a TCP source port equal to 25.  In other
words, stuff (probably) from SMTP servers.

Example 3:  ip.addr eq 172.15.2.2

This will show us any packet TO OR FROM 172.15.2.2.

Example 4:  ipx.src.net == 0x1234abcd

This will show us any packet FROM IPX network 0x1234abcd.

Example 5:  ip.addr eq 172.15.2.2 and ip.addr eq 172.15.3.3

This will show us all traffic between 172.15.2.2 and 172.15.3.3.  Traffic in
either direction will be shown, but only traffic running between these two
hosts.


Feel free to take the contents of this document and run with them.  I
consider this message public domain.  I hope it helps somebody learn to use
ethereal and/or network analyzers in general.

Later...

Justin McNutt
Mizzou Telecom - A Unit of IATS
(573) 882-5183

"I'll get right on that."