On Wed, Jun 20, 2001 at 10:39:50AM +0100, Paul Aitken wrote:
> > What are some of the filter expressions you've tried?
>
> !stp
> !cdp
> !stp && !cdp
Many versions of libpcap don't support "stp" as a filter expression, and
even the latest tcpdump.org version of libpcap doesn't support "cdp".
> tcp and !tcp seem to work OK.
Those are supported by all versions of libpcap.
> Clicking on the "Filter:" button shows the "Ethereal: Capture Filter"
> dialog. I previously thought the filters displayed here were the same as
> those configured using the "Ethereal: Display Filter" dialog (see **
> above) but I've now realised that this is not the case. Presumably then
> there's a difference between what's acceptable as a display filter and
> what's acceptable as a capture filter? Why so?
Because capture filters are intended to be handed, on platforms where
it's supported, to the kernel, so that packets that don't match the
filter aren't even copied from userland to the application.
As such:
1) they're implemented by the libpcap library that Ethereal uses
to do packet captures (because duplicating all the
functionality of libpcap in Ethereal would be a nightmare);
2) they're relatively limited in what they can do (because
they're compiled into programs for a pseudo-machine; the
pseudo-machine language is simple enough that the OS kernel
can perform relatively simple checks to make sure the program
is safe - for example, the machine language has no backward
branches, so the program can't go into an infinite loop - or
any type of loop, for that matter).
The only way for there *not* to be a difference between what's
acceptable as a display filter and what's acceptable as a capture filter
would be to limit display filters to what a capture filter can do - and
that's far too restrictive.
At some point we will probably look at making it possible to use a
*limited subset* of display filter syntax for capture filters, by
translating those filters into libpcap-style capture filter strings, and
then handing those to libpcap's compiler.
> BTW, when I click "OK" or "Apply" on the "Ethereal: Display Filter"
> dialog, a small squarish window with a STOP button appears and then
> disappears extremely quickly?
If you don't want it to disappear quickly, only use *really large
capture files*.
I.e., the reason why it disappears quickly is that your capture file
isn't large enough for the filtering process to take a significant
period of time; the window in question is a progress bar window, showing
the progress of the filtering process as it scans through the packets,
and offering a "Stop" button to stop it if you decide you don't want it
to go all the way through a 100,000-packet capture file.