On Wed, Jul 24, 2002 at 04:58:32PM +0300, vhatz@xxxxxxx wrote:
> I am using Ethereal on Windows to capture H.323
> traffic. I am having problems with the syntax of
> filtering commands. For example, if I want to monitor
> all messages of the H.225 protocol, should I use:
>
> proto h225
>
> in the start capture window in the filter box?
No.
There are, as noted in the other reply, two separate filtering
mechanisms in Ethereal:
the filter mechanism used when capturing packets, which uses the
libpcap/WinPcap library;
the filter mechanism used to select packets from a completed
capture.
The first filter mechanism, which is what's used in the capture dialog,
is limited in its capabilities. It cannot, for example, detect
arbitrary protocols; it doesn't look past the TCP or UDP headers, for
example.
So if you want a *capture* filter that selects only H.225 protocols, you
would have to express that as a filter expression that looks at, for
example, TCP and UDP port numbers. Unfortunately, H.225 protocols don't
use standard port numbers, so you'd have to find out what port numbers
will be used for the traffic you're trying to capture, and specify those
port numbers (no, I don't know how to find out those port numbers).
The other reply to your message says how to specify a filter to select
packets from a completed capture; that may be all you can do.