Wireshark · Ethereal-users: Re: [Ethereal-users] New User - Capture filter question

Ethereal-users: Re: [Ethereal-users] New User - Capture filter question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Tue, 6 Nov 2001 11:52:04 -0800 (PST)

> Q1:  If I wanted to apply a capture filter so that I could capture say 
> three different types of packets, what would the exact syntax be.  For 
> arguments sake, let's say I want to capture TCP, AARP and DNS packets.

It would be

	tcp or aarp or port domain

(the third of those selects DNS packets on port 53, assuming that the OS
you're using will translate "domain" to 53 in its "getservbyname()"
call; that should be true of most if not all modern UNIXes, and appears
to be true on my Windows 2000 machine, at least).

> Q2:  If I wanted to view only traffic to or from a particular IP address 
> and only see packets of the same three types I mentioned above, what would 
> the exact syntax be.

	host 208.66.74.60 and (tcp or aarp or port domain)

References:
- [Ethereal-users] New User - Capture filter question
  - From: jeanne_gaskill

Prev by Date: [Ethereal-users] Information on Internet packet monitoring/analysis
Next by Date: RE: [Ethereal-users] tethereal - turning dissectors off
Previous by thread: [Ethereal-users] New User - Capture filter question
Next by thread: [Ethereal-users] Information on Internet packet monitoring/analysis
Index(es):
- Date
- Thread