Ethereal-users: Re: [Ethereal-users] Question to Ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 12 Feb 2002 13:20:03 -0800 (PST)
> I want to capture in a network a IP-address of a printer. We have TCP/IP
> running. This is a Windows NT4.0 network.
> I have connecting a LAPTOP with Win98 via a Ethernet Hub into the same
> network as the printer is.
> I want to capture all trafic and data what goes to that IP-address of the
> printer.

I assume that you mean that you want to capture traffic going to that IP
address *AND* traffic coming *from* that IP address - i.e., you not only
want to capture traffic *to* the printer, you also want to capture any
traffic coming *from* the printer.

> The printer has the IP-address 172.16.70.14
> 
> What must I do ?
> 
> Am I right, when I go to "EDIT"....."Capture Filters"

No.  That's not the right thing to do if you just want to do a capture.

The *ONLY* reason to select "Capture Filters" from the "Edit" menu is if
you want to edit your list of saved capture filters.

If you don't *have* any saved capture filters, you don't need to do
that.

If all you want to do is to specify a capture filter when capturing, you
*DON'T* have to give the filter a name, and you *DON'T* have to put it
in the list of capture filters.  You just have to put the filter
expression into the "Filter:" field in the "Capture Options" dialog box
that's created when you select "Start" from the "Capture" menu.

>.....then I give him a
> ..."Filter name".... And a ......."Capture string"....
> Now my problem, what is the syntax or what command must I give in as
> "Capture string"

It's "Filter string", not "Capture string", and *IF* you wanted to add a
filter to your list of *saved* filters, you'd put into it the same
type of expression that you'd put into the "Filter:" field of the
"Capture Options" dialog box.

But you'd do that only if you wanted to save that filter with a name, so
you could retrieve it by name later when you did a capture.  You don't
*have* to use a filter that you've saved by name when capturing; you can
just type in a filter at the time you start the capture.

The capture filter expressions Ethereal supports are those supported by
the libpcap/WinPcap library that Ethereal uses for capturing; those are
the same expressions that tcpdump/WinDump supports, as tcpdump/WinDump
also uses libpcap/WinPcap for capturing.

For the current (2.2) version of WinPcap, the filter expressions are
described in the documentation for the current version of WinDump:

	http://netgroup-serv.polito.it/windump/docs/manual.htm

Search in that document for the phrase "selects which packets will be
dumped"; that'll take you to the section that describes capture filter
expressions.

In particular, if you want to capture traffic to and from your printer,
the expression would be

	host 172.16.70.14