Ethereal-users: Re: [Ethereal-users] Ethereal Sniffer

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 24 Jun 2002 13:49:51 -0700
On Mon, Jun 24, 2002 at 01:22:34PM -0500, Martin Thurber wrote:
> I was directed to your site by my vendor, Recognition Systems Inc.,
> for the Ethereal program.  I am trying to specify an IP address for the
> sniffer program to listen to.  My question is, where exactly do I
> specify the IP address?

What do you mean by "an IP address for the sniffer program to listen
to"?

Sniffer programs generally listen to network interfaces, not IP
addresses; Ethereal is no exception.

However, you can often specify to a sniffer program that it should only
capture packets that match a certain pattern; again, Ethereal is no
exception - you specify that pattern in the "Filter:" field of the
"Capture Options" dialog box popped up when you select "Start" from the
"Capture" menu.

You can use such a pattern to capture only packets to or from a
particular IP address; that pattern would be given as

	ip host {IP address}

or

	ip host {host name}

For example

	ip host 10.0.0.1

to capture only traffic to or from 10.0.0.1, or

	ip host www.spinach.com

to capture only traffic to or from www.spinach.com.

If you're using a UNIX system, see the tcpdump man page for a
description of the capture filter patterns you can use on your machine
(tcpdump and Ethereal use the same library to capture packets); if
you're using a Windows system, see

	http://windump.polito.it/docs/manual.htm

for a description of the capture filter patterns you can use on your
machine.  Look for the part of the manual page that begins with

	expression 

	    selects which packets will be dumped.  If no expression is
	    given, all packets on the net will be dumped.  Otherwise, only
	    packets for which expression is `true' will be dumped.

Note that the capture filter expressions do *NOT* have the same syntax
as display filter expressions; the latter are the expressions you can
use to display only some of the packets in the current capture file.