On Mon, Jun 24, 2002 at 01:22:34PM -0500, Martin Thurber wrote:
> I was directed to your site by my vendor, Recognition Systems Inc.,
> for the Ethereal program. I am trying to specify an IP address for the
> sniffer program to listen to. My question is, where exactly do I
> specify the IP address?
What do you mean by "an IP address for the sniffer program to listen
to"?
Sniffer programs generally listen to network interfaces, not IP
addresses; Ethereal is no exception.
However, you can often specify to a sniffer program that it should only
capture packets that match a certain pattern; again, Ethereal is no
exception - you specify that pattern in the "Filter:" field of the
"Capture Options" dialog box popped up when you select "Start" from the
"Capture" menu.
You can use such a pattern to capture only packets to or from a
particular IP address; that pattern would be given as
ip host {IP address}
or
ip host {host name}
For example
ip host 10.0.0.1
to capture only traffic to or from 10.0.0.1, or
ip host www.spinach.com
to capture only traffic to or from www.spinach.com.
If you're using a UNIX system, see the tcpdump man page for a
description of the capture filter patterns you can use on your machine
(tcpdump and Ethereal use the same library to capture packets); if
you're using a Windows system, see
http://windump.polito.it/docs/manual.htm
for a description of the capture filter patterns you can use on your
machine. Look for the part of the manual page that begins with
expression
selects which packets will be dumped. If no expression is
given, all packets on the net will be dumped. Otherwise, only
packets for which expression is `true' will be dumped.
Note that the capture filter expressions do *NOT* have the same syntax
as display filter expressions; the latter are the expressions you can
use to display only some of the packets in the current capture file.