On Thu, Jul 04, 2002 at 08:52:54AM +1000, Tino wrote:
> The following ***works*** for sending output to the console (without the -w
> option) or to the file test.txt with the -w option.
> tethereal -n -t ad -i
> \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> 203.13.133.164 or ip.src eq 203.13.133.165)" -w d:\test.txt
You're aware that "test.txt" will *NOT* be a text file, right? Instead,
it'll be a libpcap file that could be read by tcpdump or Ethereal or
Tethereal or....
> however, the following only works for sending the output to the console, but
> not to the file test.txt with the -w option.
> tethereal -n -t ad -i
> \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> 203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
> tcp.flags.reset eq 1" -w d:\test.txt
What does "not" mean there? Does it not write any packets, even if an
RST is generated?
Note that 0.9.4 (and earlier versions) had a bug, when capturing to a
file (with "-w") and using a read filter (with "-R"), where the packet
counter would be incremented for any packet that arrived, regardless of
whether the packet actually passed the read filter and got written to
the capture file or not.
So if you saw a non-zero packet count when doing a "-w" capture with a
read filter, that didn't guarantee that if you interrupted Tethereal
there would actually be packets in the capture file.
Furthermore, there was another bug in 0.9.4 (and some earlier versions)
where Tethereal, on Windows, would crash if you tried to interrupt it
with ^C.
Both of those bugs should be fixed in 0.9.5; if the problem is that you
run
tethereal -n -t ad -i
\Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
tcp.flags.reset eq 1" -w d:\test.txt
and it showed a non-zero packet count, but you interrupted it and there
weren't any packets in the capture, try installing 0.9.5 and running
that.
Note also that, although the syntax isn't as convenient, capture filters
are more efficient than read filters - especially on platforms,
including Windows, where the filtering is done in the OS kernel. The
equivalent capture filter would be
(host 203.13.133.164 or host 203.13.133.165) and tcp src port 80
and tcp[13] & 0x02 != 0
That should work even with 0.9.4.