Ethereal-users: Re: [Ethereal-users] Filter Multiple hosts

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 25 Jul 2002 11:40:38 -0700
On Thu, Jul 25, 2002 at 07:25:23PM +0200, M.C. van den Bovenkamp wrote:
> 'host <a> or host <b> or host <c>' ought to work. Using 'and' in this 
> case is wrong (as in 'doesn't do what you want'),

Well, that depends on what he wants.  If he wants to capture only
packets sent from or to 147.52.12.131 to or from 147.51.13.243, that
expression *will* do what he wants.

"host 147.52.12.131 or host 147.51.13.243" will capture traffic sent to
or from 147.52.12.131 or sent to or from 147.51.13.243, so it would
capture traffic from, say, 209.10.72.199 to 147.52.12.131.

> and is probably wrong 
> (as in 'gives a "parse error"') because 'host' matches both source and 
> destination address.

No,

	host 147.52.12.131 and host 147.51.13.243

doesn't get a parse error.

At least one problem is that he used "AND" rather than "and".

> So something like 'host <a> and host <b>' is ambiguous at best.

Nope, not ambiguous.  As you note, "host <a>" means "from or to host
<a>", and "host <b>" means "from or to host <b>", so "host <a> and host
<b>" means "from or to host <a> and from or to host <b>", which, if you
rewrite it as "from or to host <a> and to or from host <b>", isn't
ambiguous.