Ethereal-users: RE: [Ethereal-users] Newbie question about capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Nick Wilson" <nickw@xxxxxxxxx>
Date: Mon, 6 Aug 2001 09:24:40 +1000
The way I use it is to do the capture for a specific host, eg
host machinename 

or you can use ip address. This limits the number of packets but
may still capture a lot. And then on the DISPLAY filter, put the
actual display you want to see. 

This works if
1. There is not too many packets flying accross the network to that
machine, ie only running ethereal for a short while.
2. There is a display filter for H225 and H245, then do something like
h225 or h245 
in the display filter line at the bottom.

Hope this helps,
Nick

-----Original Message-----
From: ethereal-users-admin@xxxxxxxxxxxx
[mailto:ethereal-users-admin@xxxxxxxxxxxx]On Behalf Of Guy Harris
Sent: Saturday, 4 August 2001 5:26 AM
To: Vipin Palawat
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Newbie question about capture filters


> Hi All,
> 
> I am new to ethereal sniffer.
> 
> I can capture the packets using ethereal.
> 
> However, I am unable to apply the capture filters.
> 
> I even looked at the mailing list archives but it was of no help.
> 
> Please help me out with this simple stuff.
> 
> I want to capture the packets of only two protocols i.e. h225 and h245.

You can't use a capture filter to do that.

The capture filter mechanism (which is *not* part of Ethereal; it's part
of libpcap and, on many OSes, part of the OS kernel, or, in the case of
Windows, part of a device driver that gets added to the OS kernel)
compiles capture filters into a pseudo-machine-language which is
interpreted by code either in libpcap or in the OS kernel.

That machine language is very simple; it can only test the values of
1-byte, 2-byte, or 4-byte fields at various offsets in the packet.  It
can't, for example, do anything that involves a loop.

The capture filter language that compiles into that machine language
supports only checking fields at fixed offsets from

	the beginning of the frame;

	the beginning of the IP header;

	the beginning of the TCP or UDP header.

You will have to try to construct a filter expression that can recognize
H.225 and H.245 packets by checking only those fields; if that's
impossible, then setting up a capture filter for H.225 and H.245 packets
is impossible.

See the tcpdump man page on your system for a description of the syntax
of capture filters, or, if you're using Windows, check out the WinDump
man page on the site from which you downloaded WinPcap (there should be
a link to the WinDump site from the WinPcap site) - note that said site
might be down right now.

> Apart from filtering these specific protocols during capture, I 
also want to
> filter specific hosts.

Filtering on IP addresses is one thing that the capture filter can do
straightforwardly, with the "hosts" keyword; see the tcpdump/WinDump man
page.  Filtering on H.225 or H.245 packets is probably either more
difficult or impossible.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users