Hello,
I'd like to ask about the difference between display and capture filters,
and when to use either of them.
I would like to know also how to supply display filters to ethereal?
My OS is Solaris 2.6
Best regards
Hany Nader Nawar, MSc
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Wednesday, June 06, 2001 10:06 PM
To: Nawar, Hany Nader Soliman (Hany)
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] Filters
> Thanks for the interfaces tip, it worked. Now I'm trying to define some
> filters, but every time the program gives me an error: Unable to parse
> filter string (parse error).
>
> I tried simple filters like:
> ip.dst == www.yahoo.com
>
> ip.addr eq 1.2.20.30
>
> and I get the same error.
>
> What's the problem?
That depends on where you're trying those filters.
If, as I suspect is the case, you're trying those filters in the
"Capture Preferences" dialog box, popped up when you select "Start" from
the "Capture" menu, the problem is that capture filters are *NOT*
implemented by Ethereal, they're implemented by the libpcap library that
Ethereal uses to do captures, and the syntax that library supports is
*not* the same syntax as the syntax for display filters.
(The capture filter syntax can't support everything that the display
filter mechanism can, so we needed a different syntax; we may, at some
point, write code to translate display-filter-like filters into libpcap
capture filters, but there's already a large number of projects in
progress for Ethereal, so there's no guarantee that particular project
would make it to the head of the queue soon - it's a non-trivial
project).
See
http://www.ethereal.com/faq.html#q3.1
which has a link to an on-line version of the tcpdump man page, in which
the syntax of libpcap capture filters is defined.
In the case of the two filters you listed, the capture-filter equivalent
of
ip.dst == www.yahoo.com
is
dst host www.yahoo.com
and the equivalent of
ip.addr eq 1.2.20.30
is
host 1.2.20.30